MongoDB flaws exposed 600TB Admin Data

Share it:
About 600TB of the admins data have been accidentally exposed by a simply mistake of MongoDB administrators, and that also by using outdated or unpatched version of the MongoDB software.

According to the John Matherly, the creator of Shodan, reveals that nearly 595.2 terabytes of the data were exposed by using outdated or unlatched version of the software. All the details can be easily accessed without any authentication.

MongoDB is a popular NoSQL database, alternative to SQL, an open source software, many companies already use it, including “The New York Times”, “Ebay”, and “Foursquare.”  John Matherly argues that around 30.000 databases are exposed because administrators are using old versions of MongoDB, and these old versions fail to bind to localhost. 

The latest version of MongoDB is 3.0.4, but until version 2.4.14 MongoDB was still listening to 0.0.0.0 by default.

This security issue were already know, as a security researchers Roman Shtylman, had reported the issues in 2012. Shtylman realized that a critical bug because MongoDB was being shipped without authentication. 

Affected, outdated versions of MongoDB database do not have a 'bind_ip 127.0.0.1' option set in the mongodb.conf, potentially leaving users' server vulnerable if they are not aware of this setting.

This is not the first time that the security industry is concerned by the security of MongoDB, in February 2015 nearly 40,000 entities running MongoDB were found vulnerable to cyber attacks.
Share it:

News

Security

Vulnerability

Post A Comment:

0 comments:

Follow by Email