Researchers: Many MongoDB Database Servers Are Publicly Available

Due to a common misconfiguration of the popular MongoDB, databases on tens of thousands of IP addresses can be read without problems, according to a number of students from Saarland University. Among other things, customer data of a French telecom company can be requested.

According to the students, who are researching cybersecurity, many system administrators forget to activate some security mechanisms when they install the popular open source database MongoDB. For example, many Linux distributions install MongoDB by default so that it can only be accessed on the local system and no password is set. If the database is placed on a separate server and internet access is also activated instead of local access, MongoDB databases can often be accessed directly via the internet in addition to the web server, the researchers say.

In total, the students were able to locate open MongoDB databases at 39,890 IP addresses. These are often easy to find with the right search terms via a search engine. One of the vulnerable databases is said to be owned by a French telecom company. Customer data such as telephone numbers and addresses of approximately 8 million French people were freely available. The students also encountered many databases that can be written to. A German online store also ‘leaked’ customer data, including data about transactions. In both cases, the affected companies were warned about the wrong database configuration.

The German Heise notes that not only many MongoDB databases are vulnerable. Other NoSQL databases such as Redis and the caching software Memcache are often incorrectly configured, so that data can be requested from outside unintentionally.