February 11, 2015

MongoDB gate

Yesterday researchers of my home university Universität des Saarland published a report about 40.000 MongoDB servers in the world running on public ports and without authentication. This is kind of a nightmare. Disclosure of customer data, credit card numbers etc....but whom to blame? Of course MongoDB is (technology-wise) a crappy database and it would be easy to blame MongoDB altogether.

There are only two minor problems with MongoDB here:

  • the MongoDB daemon binds to all public IP addresses by default depending on the distribution or download package. It is said that the standard installers bind to localhost only however the daemon distributed with the binary packages binds to - BAD DESIGN DECISION
  • MongoDB does not require a password by default. So every MongoDB server is open without authentication by default - BAD DESIGN DECISION

However there is no direct technical exploit in MongoDB responsible for the disclosure of private data - just bad design decisions (having their impact here). Unfortunately the answer of MongoDB CTO Eliot Horowitz on this issue is both cheap, weak and poor and one does not seem to care about the implications from this report.

More important in this case is the human factor.

Obviously several thousand adminsitrators are incompetent or incapable performing very basic administration tasks like

  • configuring a daemon to localhost or a private IP only
  • configuring a firewall

My theory on this is that more and more untalented IT workers are in charge for dealing with technology issues, networking and programming aspects that are far beyond their horizon. This is not only a problem of MongoDB but can be also observed with other IT technology. Watching mailing lists, IRC, Stackoverflow and other related media over the last years is becoming a growing pain. The technology is getting more and more diverse and complex but the intelligence and motivation of the "typical" IT workers seems to go down year by year. Yes, this is a typical Andreas Jung rant but many tasks in software development and system administration should be left to people that know what they are doing. But many IT departments apparently do not care about competence, security and privacy (any more). Mistakes happen every day - even for experienced IT workers and experts. However this report with 40.000 open MongoDB installations indicates some more fundamental problems how IT security handled in organizations: badly. And my recommendation: unmotivated and untalended script kiddies should keep their fingers away from security critical infrastructure and components.