More than 40,000 MongoDB databases are floating around on the Internet, present major threat to stakeholdersThe 3 MusketeersLack of acknowledgmentDent in the growth

The 3 Musketeers

These 3 students – Jens Heyens, Kai Greshake and Eric Petryka – from Saarland University in Germany were behind the discovery that databases running as a service or those being used as a website backend could be accessed by anyone on the internet and gain read and write access to them. Their view is that these mechanisms were not put in place as the tutorials and guidelines do not mention them specifically. Organisations that set up MongoDB web servers following these guidelines are likely to have overseen the importance of activating security mechanisms and left the databases open for access on the internet. After doing a simple search the number of database instances vulnerable that they found were 39,890. This number though, could be much more higher as major corporations block such scans and searches.

Lack of acknowledgment

“The fault is not complicated, but its effect is catastrophic,” said Michael Backes, professor of information security and cryptography at Saarland University and director of CISPA, who was contacted by the students at the end of last month. The students informed the French Data Protection Authority (CNIL), the Federal Office for Information Security and MongoDB so that the affected database owners could be notified. But the anger is not because of the flaw, it is being fuelled by the lack of acknowledgement of the existence of the flaw.

Dent in the growth

This revelation will cause a dent to the growth story of NoSQL systems, which have in recent years challenged the use of relational databases with the prowess of handling greater data sets with better efficiency. As the leading open-source document database, MongoDB is at the center of this trend with several major websites and services integrating it for their backend. This security alert is likely to be a setback for the company, which last month was valued at $1.6 billion after a new round of funding from investors.