Developers leaving MongoDB databases wide open to attack

White-hat researcher claims to have found the credentials of 25 million people - including 13 million MacKeeper users and 5,000 users of a dating app for HIV-positive singles - openly available online to hackers in MongoDB databases.

Get your spanners out: Hackers using scripts to scan internet for leaky databases
Get your spanners out: Hackers using scripts to scan internet for leaky databases

The personal details of around 25 million people, including 13 million Apple Mac users, have been left exposed to hackers in a string of misconfigured databases, according to whitehat security researcher Chris Vickery.

Over the past two weeks, Vickery said he has gathered data such as the names, emails, easily crackable passwords and IP addresses of 25 million online accounts, all publicly available for anyone to access on MongoDB databases, with no ‘exploit' required.

Vickery got the data simply by using the Shodan internet search tool which tracks and indexes internet connected devices.

The creator of Shodan.io, John Matherly, released similar research in July, saying he had discovered 30,000 instances of MongoDB and almost as many instances of Redis database which required no authentication to login.

Matherly didn't poke around in the databases but it appears that Vickery has gone that one step further to prove just what was available for the taking.

As well as 13 million users of the controversial MacKeeper OSX security tool, Vickery reportedly got the credentials of 2.5 million users of online gaming site Slingo, over 2.6 million members of the OkHello video chat service and over 5000 users of the highly sensitive Hzone dating app for HIV-positive singles.

Other people exposed include fans of Major League Baseball and Slipknot, school students in California and users of US social network Vixlet.

In a Reddit post on the issue, Vickery focused on the MacKeeper breach, saying he contacted the producers of the anti-virus software, Kromtech Alliance Corp, who rapidly plugged the leak.

Vickery explained: “I recently downloaded over 13 million sensitive account details related to MacKeeper and Kromtech. The search engine at Shodan.io had indexed their IPs as running publicly accessible MongoDB instances. No login required at all, the data was publicly available. No exploits or vulnerabilities involved. They published it to the open web with no attempt at protection."

Vickery said the MacKeeper data featured “names, email addresses, password hashes, IP address, software licence and activation codes, type of hardware (eg, ‘MacBook Pro') and phone numbers.”

And he confirmed: “I've discovered approximately 25 million exposed accounts' details for various sites and services over the past two weeks.”

Vickery has been working with Databreaches.net, which has published the full list of exposed databases.

The site says the Slingo data comprised 2.5 million users' first and last names, usernames, email addresses, password hashes, Facebook IDs, postal addresses and gender. “Chris notified them and they secured their database,” the site said.

MacKeeper's owner also admitted the flaw in a statement yesterday, saying: “Kromtech is aware of a potential vulnerability in access to our data storage system. We are grateful to Chris Vickery who identified this issue without disclosing any technical details for public use.

“We fixed this error within hours of the discovery. Analysis of our data storage system shows only one individual gained access, performed by the security researcher himself. All customer credit card and payment information is processed by a third-party merchant and was never at risk.”

Commenting on Vickery's work, UK cyber-security expert Amar Singh said he has highlighted “a common problem that is still not being addressed”.

Singh, who is chair of ISACA's UK Security Advisory Group and CEO and founder of the Cyber Management Alliance and Give01Day.com, told SCMagazineUK.com via email: “I hate to say it, but it's becoming a bigger problem as more and more companies embrace the cloud. The cloud approach allows for incredible operational agility and flexibility which actually creates an almost perfect storm for this and other types of exposure of confidential information and credentials.”

To address the problem, he said: “Right now (1) you can get on shodan.io – the search engine that was used in this instance – and check if your database shows up on there; (2) run a penetration test on your key systems based on the most relevant threats to you and yes, check your internet-facing sites; and (3) prepare a response plan – you will be hacked and you need to ask yourself how swiftly you can respond.”

Singh added: “To add to the woes, increased automation and computing power means malicious hackers have automated scripts that are scanning the internet and cloud providers looking to exploit such exposures. In several instances, scripts have stolen cloud credentials, created computing instances and consequently companies have run up large unauthorised bills.”