Discovered 40000 vulnerable MongoDB databases on the Internet

Three German students have discovered that tens of thousands of MongoDB databases running as a service or website backend were exposed on the Internet.

MongoDB is a cross-platform document-oriented database which uses JSON-like documents with dynamic schemas (BSON) improving the integration of data between different applications. MongoDB is very popular for scalability, performance and high availability, it represents a valid solution also for very complex architectures, in order to achieve high performance MongoDB leverage in-memory computing.

Today MongoDB is used by many organizations, the bad news is that nearly 40,000 entities running MongoDB are exposed and vulnerable to risks of hacking attacks.

Three students from University of Saarland in Germany, Kai Greshake, Eric Petryka and Jens Heyens, discovered that MongoDB databases running at TCP port 27017 as a service of several thousand of commercial web servers are exposed on the Internet without proper defense measures.

The German Team of experts reported that they were able to to get “read and write access” to the unsecured and vulnerable MongoDB databases without using any special hacking tools.

“Without any special tools and without circumventing any security measures, we would have been able to get read and write access to thousands of databases, including, e.g., sensitive customer data or live backends of Web shops. The reason for this problem is twofold: • The defaults of MongoDB are tailored for running it on the same physical machine or virtual machine instances. • The documentations and guidelines for setting up MongoDB servers with Internet access may not be sufficiently explicit when it comes to the necessity to activate access control, authentication, and transfer encryption mechanisms” states the report published by the researchers.

The results of the study are disconcerting, 39,890 MongoDB databases openly available on the Internet. The list of vulnerable and accessible database includes one belonging to an unnamed French telecommunications company that contains 8 Million customer’s phone numbers and addresses.

“Since we now are able to connect to the MongoDBs found by calling the mongo shell with the IP address found.”

mongo $IP 4

“In order to verify the impact and risk related to the found MongoDB instances, we exemplarily double-checked that these databases are not intentionally configured without access control and further security mechanisms. Briefly looking at a large database1 , we found a customer database of a French telecommunications provider with about 8 million customer entries” wrote the researchers. “Our initial port scan revealed 39,890 instances. However, this number might be inaccurate, since on the one hand many larger providers blocked the scan such that there might be more publicly accessable MongoDBs online, and on the other hand some of these databases might be intentionally configured without security measures, e.g. as honeypots”

The experts highlighted that it is quite easy to exploit the security flaw, by running a massive scan for TCP port 27017 on the web is is possible to localize all vulnerable servers in a few hours.

The attackers could also use the popular Shodan Search Engine to identify accessible MongoDB databases easily.

Using a free standard account we identified a first set of vulnerable MongoDB addresses by pasting the following HTML code. curl $SHODANURL |grep -i class=\"ip\" |cut -d ’/’ -f 3 \ |cut -d ’"’ -f 1|uniq >db.ip

The German researchers already reported their findings to MongoDB as well as the French Data Protection Authority (CNIL) and the Federal Office for Information Security. The researchers also reported the issue to the affected organizations.

MongoDB urges its users to use the latest version of the Database.

” Those who are affected by the issue should use latest installer for MongoDB which limits network access to localhost by default and also refer MongoDB Security Manual.”

Pierluigi Paganini

(Security Affairs – MongoDB, Hacking)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.