Check your NoSQL database - 600 terabytes of MongoDB data publicly exposed on the internet

No authentication required, especially if you're running MongoDB in the cloud

A total of 595.2 terabytes (TB) of data is exposed on the internet via publicly accessible MongoDB instances that don't require any form of authentication.

That is the claim of blogger and Shodan developer John Matherly, following an investigation. Shodan is a search engine designed to expose online devices. Previous investigations by Shodan have exposed insecure internet-connected industrial systems.

"Most people use Shodan to find devices that have web servers, but for a few years now I've also been crawling the internet for various database software," writes Matherly. While MySQL and PostreSQL are typically quite secure, as they are secured by default out-of-the-box, this is less true of some of the new NoSQL databases that are growing in popularity, he continues.

In his investigation, Matherly focused on MongoDB. "A quick search for MongoDB reveals that there are nearly 30,000 instances on the Internet that don't have any authorisation enabled. This was actually a bit surprising since by default MongoDB listens on localhost and has done so for a while, based on the oldest Github check-in for their mongodb.conf.

"This made my results very confusing: how could there be so many open MongoDB installations if the defaults were to listen on localhost?"

According to Matherly, it took a number of years for the open source project to rectify this security flaw, which was first raised in February 2012 and only fixed in April 2015. "It turns out that MongoDB version 2.4.14 seems to be the last version that still listened to 0.0.0.0 by default, which looks like a maintenance release done on April 28, 2015."

And Matherly also noted that iterations of MongoDB running in the cloud tended to be more insecure.

"The vast majority of public MongoDB instances are operating in a cloud: Digital Ocean, Amazon, Linode and OVH round out the most popular destinations for hosting MongoDB without authorization enabled. I've actually observed this trend across the board: cloud instances tend to be more vulnerable than the traditional datacenter hosting. My guess is that cloud images don't get updated as often, which translates into people deploying old and insecure versions of software."

Using Shodan, Matherly calculates that just under 600 TB of data is currently exposed on insufficiently secured MongoDB databases, in many cases because the users are running older versions of the software in the cloud.