During a customary search for vulnerable databases, the team at Comparitech discovered a vulnerable and unprotected MongoDB database belonging to FarFaira, a website designed to promote literacy for children as young as 2 years old. The information on this database includes user sign-in information, email addresses, and social media tokens.
While the Comparitech team made the ethical move and sent a
responsible disclosure alert to FarFaria (which resulted in access to
the database being restricted), an attacker could have easily stolen
user data from the database and utilized the data in an attack on
FarFaria users. Hypothetically, an easy attack would involve composing a
phishing email containing the user’s account information and making
them believe they are receiving a legitimate email from FarFaria. This
email then serves as a trojan horse for any kind of malware the attacker
wishes to infect a user’s browser and system.
Since the database was not securely figured, the likely culprit here
is simply negligence on the part of FarFaria’s IT staff. In fact,
MongoDB provides a checklist for any MongoDB administrators looking to
secure their databases from attackers. Steps in this checklist include:
Securing the Database
Enable Access Control and Enforce Authentication – depending on your infrastructure, you can enable an authentication mechanism to ensure users provide proper credentials before accessing the database.
Configure Role-based Access Control – Implement the principle of least privilege to make sure no users have access to data they shouldn’t have.
Encrypt Communication – Enable TLS/SSL for all incoming and outgoing connections.
Encrypt and Protect Data – Make use of encryption-at-rest applications (if available) or make use of file system permissions to keep files safe.
Run the database with a single user – Consider using a single OS user account to perform all necessary database functions.
By making use of these and other security policies, you can ensure database security and avoid any unpleasant incidents that may come with database negligence.