MongoDB wide open on the web

mongoThe creator of the Shodan search engine has found more than 35,000 publicly accessible and insecure MongoDB databases on the Internet

John Matherly said that the numbers appear to be growing and they expose 684.8 terabytes of data to potential theft.

This is Matherly’s second look at the MongoDB. In July he found nearly 30,000 unauthenticated MongoDB instances. He had another look after security researcher named Chris Vickery found information exposed in such databases that was associated with 25 million user accounts from various apps and services, including 13 million users of the controversial OS X optimisation program MacKeeper.

The rise in numbers is somewhat strange as newer versions of the database no longer have a default insecure configuration which made them vulnerable.

MongoDB versions 3.0 and newer only listen to “localhost,” so they don’t accept remote connections from the Internet. Yet, version 3.0.7 accounts for the largest number of exposed installations (3,010) found by Matherly and version 3.0.6 is also in the top five with 1,256 instances.

Writing in his bog, Matherly said that MongoDB 3.0 was well-represented means that a lot of people are changing the default configuration of MongoDB to something less secure and aren’t enabling any firewall to protect their database.

“It could be that users are upgrading their instances but using their existing, insecure configuration files.”

The majority of the insecure MongoDB instances are hosted on cloud computing platforms run by DigitalOcean, and Alibaba Group.

If the information found by Vickery, such as names, email addresses, birth dates, postal addresses, private messages and insecure password hashes.