Update: Old, badly configured cloud databases leaking terabytes of data

News by Tom Reeve

Hundreds of terabytes of data is being exposed to the internet via publicly accessible NoSQL databases that aren't using any form of authentication.

That's according to security researcher John Matherly who has a bee in his bonnet when it comes to unsecured databases. He uses Shodan, a specialist search engine for internet-connected devices, to search for databases which don't have any authorisation enabled.

The root cause of the problem is configuration errors – most commonly in cloud installations.

One database he searched for was MongoDB, of which he found nearly 30,000 instances of badly configured internet-connected databases. But the problem was not limited to MongoDB – Matherly also looked at the Redis database and found a comparable number of vulnerable sites.

He said he was surprised by the findings because by default MongoDB listens on localhost so he was puzzled as to why so many installations would have been modified to listen to external connections.

It turns out there was an historic problem with the configuration defaults which had been noted as long ago as February 2012 by Roman Shtylman, he said.

On further investigation, he concluded that the problem was most likely to occur when MongoDB was deployed in a cloud, a conclusion based on the number of cases he found hosted at Digital Ocean, Amazon, Linode and OVH.

He wrote: “I've actually observed this trend across the board: cloud instances tend to be more vulnerable than the traditional datacenter hosting. My guess is that cloud images don't get updated as often, which translates into people deploying old and insecure versions of software.”

In fact, 40 percent of the MongoDB installations he discovered via Shodan were running a very old version – 1.8.1. The current stable release is 3.0.4.

“I could go on and on about these sorts of problems because they're everywhere and haven't been resolved for years,” he said. “Hopefully, more people will start looking at services that are responsible for the actual data and not solely focus on the web interfaces.”

[Update] Kelly Stirman, VP of strategy at MongoDB, said the problem comes down to user implementation. "The potential issue is a result of how a user might configure their deployment without security enabled. There is no security issue with MongoDB – extensive security capabilities are included with MongoDB," he said. 

Stirman published a blog post on 21 July detailing security best practices for MongoDB users which includes a link to its security manual.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews