As reported by Infosecurity Magazine, a whitehat researcher named Bob Diachenko uncovered a MongoDB account that could have theoretically been accessed by anyone. The database in question belonged to ABBYY, a “global document recognition and content capture software developer.” The MongoDB account was not password protected and, according to Diachenko, this is problematic because:
The biggest concern was the fact MongoDB in question also contained a large chunk of scanned documents (more than 200,000 contracts, NDAs, memos, letters and other internal documentation, properly OCR’d and stored) which apparently were stored by ABBYY partners using their administration console.
ABBYY’s clients include major companies like McDonald’s, Volkswagen, and the Reserve Bank of Australia, so these accounts being publicly available could have been catastrophic. ABBYY reportedly shut down access to the database once Bob Diachenko emailed them with his findings. The problem is, there is no telling just who else knew about this flaw that could be exploited for recon involved in future cyberattacks. ABBYY itself already admitted in a statement that the so-called “temporary data breach” has in fact affected one of their clients. Though they have started a “full corrective security review of” their infrastructure, processes, and procedures, it may be too little, too late.
Misconfigured databases are something penetration testers come across all the time in our work (I myself am a penetration tester). Be it in MySQL or other databases, it is always a bit alarming at just how many of these databases are vulnerable. Databases hold a treasure trove of information, from user accounts to other sensitive data that, if exposed to the public, could compromise numerous facets of an organization.
As this MongoDB misconfiguration shows, it is vital that organizations perform constant security checks, including hiring outside help from penetration testers to find the vulnerable areas of databases (or anything else) before something like this occurs again.
Featured image: Shutterstock