MongoDB is popular database software that is used by many websites and services, but because many organizations outdated versions of software installed such a 600TB database is freely accessible via the Internet. That allows John Matherly , founder of search engine Shodan.
Earlier this year researchers warned that such a 40,000 installations of MongoDB can be accessed by anyone without a password. Through its own search engine comes Matherly on a small installations from 30 000. Something that surprised him, because MongoDB standard should not be accessible over the internet. This, however, appears to only recently have been adjusted. In late April of this year, the final version appeared which was the standard by anyone to access via the web.Further examination of Matherly found that the problem with the default setting, though it was reported in 2012.
A configuration file to resolve the problem a year later put ready, but not added to the system. Therefore, the institution was still unsafe as default until the end of April this year. Although the problem is no longer present in new versions, there are still many databases accessible to everyone. Matherly discovered that it mainly involves installations which are administered by cloud providers such as Digital Ocean, Amazon and Linode. It seems that these cloud services using vulnerable versions of MongoDB for their images, allowing their customers deploy insecure versions of the database software.
Matherly decided to look how large the extent of the problem is made and connection with the outstanding databases. It turns out to nearly 600TB of data. Forty percent of the plant also uses a very old version of MongoDB, namely 1.8.1, which was released in early 2011. Matherly says that such problems have existed for years and are everywhere. He hopes that more people are going to look at the services responsible for the data in the databases, rather than focus only on the Web interfaces.
No comments:
Post a Comment