Three students from University of Saarland in Germany at the Centre for IT Security – Kai Greshake, Eric Petryka and Jens Heyens – discovered that MongoDB databases running at TCP port 27017 as a service on several thousands of commercial web servers are easily accessible on the Internet.
MongoDB is an open-source database used by companies of all sizes, across all industries for a wide variety of applications. MongoDB is built for scalability, performance and high availability, scaling from single server deployments to large, complex multi-site architectures. By leveraging in-memory computing, MongoDB provides high performance for both reads and writes.
The German researchers said that they were able to get "read and write access" to the unsecured MongoDB databases without using any special hacking tools. They found 39,890 MongoDB databases openly available on the Internet, including one belongs to an unnamed French telecommunications company containing 8 Million customer’s phone numbers and addresses.
"Anybody could retrieve and even alter several million items of customer data, including names, addresses, emails and credit card numbers," the university in Saarbruecken on the Franco-German border said in a statement.
Exploiting the loophole is incredibly easy, as an attacker only needs to run a port scan for TCP port 27017 on the victim’s machine and finding all possible vulnerable servers on the Internet could be achieved within four hours by scanning the Internet using fastest TCP Port Scanner called, "masscan".
However, Shodan Search Engine makes the task even easier as it helps hackers to identify accessible MongoDB databases easily. Shodan has a database containing IP addresses with a list of services running and an easy-to-use filter mask.
The German researchers reported the issue to MongoDB as well as the French Data Protection Authority (CNIL) and the Federal Office for Information Security so that the affected database owners could be notified of the loophole.
MongoDB responded to the issue, saying "MongoDB takes security very seriously." Those who are affected by the issue should use latest installer for MongoDB which limits network access to localhost by default and also refer MongoDB Security Manual.