Cyber security students at Saarland Univeristy in Germany (which I attended during 1975 and 1976. Ed.) have discovered up to 40,000 insecure databases on the internet, the university reports.
Anyone could retrieve or even amend several million customer accounts with name, address, email and credit card details via the internet, according to information from the University’s Center for IT-Security, Privacy, and Accountability (CISPA). The cause is a wrongly configured, freely available database on which millions of online shops and platforms around the world are establishing their services. If the operators blindly stick to the defaults in the installation process and do not consider crucial details, the data is available online, completely unprotected. CISPA has already contacted the vendor and data protection authorities.
“It is not a complex bug, but it’s effect is disastrous”, explains Michael Backes, professor of information security and cryptography at Saarland University and director of CISPA. He was contacted by the students and CISPA employees Kai Greshake, Eric Petryka and Jens Heyens at the end of January. Heyens is a cyber security student at Saarland University and his two fellow students plan to concentrate in this subject in the forthcoming semester. The flaw which they detected affects 39,890 databases. “The databases are accessible online without being protected by any defensive mechanism. You even have the permissions to update and change data. Hence we assume hat the databases were not left open on purpose”, Backes explains. The vendor of the database is MongoDB Inc. Its MongoDB database is one of the most widely used open source databases. Out of curiosity, the students queried a publicly accessible search engine for servers and services connected to the internet and thus discovered the IP addresses companies use to run unprotected MongoDB databases.
When the students called up the detected MongoDB databases with the respective IP addresses, they were surprised. Access was neither locked, nor protected in any other way. “A database unprotected like this is similar to a public library with a wide open entrance door and without any librarian. Everybody can enter”, explains Backes. Within a few minutes, the students also detected this critical condition in numerous other databases as well. They even found a customer database possibly belonging French ISP and mobile phone provider containing the addresses and telephone numbers of roughly 8 million French customers. According to the students, they also found the data of half a million German clients among those addresses. Another unprotected database detected was that of a German online retailer which included payment information. “The saved data can be used later to steal identities. Even if the identity theft is known, even years later the affected people have to deal with contracts signed under their own names by the identity thieves”, says Backes. The CISPA researchers began contacting MongoDB Inc. immediately, as well as the international computer emergency response teams (CERTs). They informed the French data protection service, the Commission nationale de l’informatique et des libertés, and the German Office for Information Security. “We do also hope that the developer of MongoDB will quickly include our results, incorporate them into its guidelines and forward them to the companies using the database”, says Backes.
CISPA has released a report of its findings (pdf).