Protect Your MongoDB – Story of “The Same Database”

It’s normal now to hear stories about data breaches. Some of them involve publicly exposed Databases, S3 buckets etc. The vulnerability falls into ‘Security Misconfiguration’, A6 – OWASP Top 10 (2017).

” Attackers will often attempt to exploit unpatched flaws or access default accounts, unused pages, unprotected files and directories, etc to gain unauthorized access or knowledge of the system. ” – OWASP

Real-world Attack Scenarios:

https://www.zdnet.com/article/mongodb-server-leaks-11-million-user-records-from-e-marketing-service/

https://www.scmagazine.com/home/security-news/unsecured-mongodb-exposes-200m-records-of-chinese-job-seekers/


Search engines like Shodan, Binary Edge are very useful in finding such information on the internet such as webcams with default passwords, publicly exposed CCTV Cameras, computers with port 3389 open, SCADA devices, MongoDB instances and more.

Shodan: Shodan is a search engine that lets the user find specific types of computers connected to the internet using a variety of filters.
https://www.shodan.io/

Binary Edge: in their words “We scan the entire internet space and create real-time threat intelligence streams and reports that show the exposure of what is connected to the Internet.”
https://www.binaryedge.io/

MongoDB is an open source database, very simple and convenient to create and use. If you find a MongoDB instance on the Internet, Simply use MongoDB compass and connect to it. If there is no authentication, Hackers can view the information without having to hack it. All the information is public!


During weekend I found similar issues, we call it ‘Shodan Safari’. In some cases I was able to identify MongoDB owners and reported the issue. I found a company’s MongoDB instance which had their employee information in ‘users’ collection also the database contained business critical information.

Also I noticed activities of a cyber criminal group which was actively attacking open MongoDB instances and asking for ransom, so I felt the need to contact them as soon as possible and help them protect their information.

This is another MongoDB instance from a different organization, I guess it was too late to contact them. The cyber criminal group behind this attacks claims that they provide ‘Database Backup Service’.

I reported the issue via WhatsApp, Screenshot of the conversation went viral for different reasons with more than 1500 RTs and 3.7 lac+ impressions on twitter and 1 lac+ views on LinkedIn.
My phone was flooded with notifications for next Two days. So, I thought about writing an article for awareness regarding the issue.

Here’s their response:

The issue got resolved within 24 hours of my first conversation on WhatsApp with one of their team members.

Also Read: Crypto-Mining Marketplace NiceHash Fixed a Vulnerability Which Leaked Miners’ Information

If you think your organization is using MongoDB, make sure that it is protected. ‘Seniors’ responsible security of larger organizations can create a list of all the MongoDB instances/ AWS S3 buckets etc. used by the organization and review their access Monthly/Quarterly.

Feel free to let me know what you think about the article,
https://twitter.com/ashu_barot

About Ashutosh Barot

Ashutosh Barot is a Security Researcher, Tech Enthusiast, studied M.Tech in Cyber Security and Incident Response at Gujarat Forensic Sciences University, Gujarat. Now working at a Big 4 as a Cyber Security Consultant. He has been acknowledged by various organizations such as Twitter, US Department of Defense, Symantec, United Nations, J.P.Morgan, Trend Micro, Avira, Verizon Enterprise, IBM, Go Airlines, etc. for finding out security flaws in web applications.

Ashutosh Barot

Ashutosh Barot is a Security Researcher, Tech Enthusiast, studied M.Tech in Cyber Security and Incident Response at Gujarat Forensic Sciences University, Gujarat. Now working at a Big 4 as a Cyber Security Consultant. He has been acknowledged by various organizations such as Twitter, US Department of Defense, Symantec, United Nations, J.P.Morgan, Trend Micro, Avira, Verizon Enterprise, IBM, Go Airlines, etc. for finding out security flaws in web applications.