Misconfigured MongoDB account puts 200,000 files at risk

By /

As reported by Infosecurity Magazine, a whitehat researcher named Bob Diachenko uncovered a MongoDB account that could have theoretically been accessed by anyone. The database in question belonged to ABBYY, a “global document recognition and content capture software developer.” The MongoDB account was not password protected and, according to Diachenko, this is problematic because:

The biggest concern was the fact MongoDB in question also contained a large chunk of scanned documents (more than 200,000 contracts, NDAs, memos, letters and other internal documentation, properly OCR’d and stored) which apparently were stored by ABBYY partners using their administration console.

ABBYY’s clients include major companies like McDonald’s, Volkswagen, and the Reserve Bank of Australia, so these accounts being publicly available could have been catastrophic. ABBYY reportedly shut down access to the database once Bob Diachenko emailed them with his findings. The problem is, there is no telling just who else knew about this flaw that could be exploited for recon involved in future cyberattacks. ABBYY itself already admitted in a statement that the so-called “temporary data breach” has in fact affected one of their clients. Though they have started a “full corrective security review of” their infrastructure, processes, and procedures, it may be too little, too late.

Misconfigured databases are something penetration testers come across all the time in our work (I myself am a penetration tester). Be it in MySQL or other databases, it is always a bit alarming at just how many of these databases are vulnerable. Databases hold a treasure trove of information, from user accounts to other sensitive data that, if exposed to the public, could compromise numerous facets of an organization.

As this MongoDB misconfiguration shows, it is vital that organizations perform constant security checks, including hiring outside help from penetration testers to find the vulnerable areas of databases (or anything else) before something like this occurs again.

Featured image: Shutterstock

About The Author

Derek Kortepeter is a graduate of UCLA and tech journalist. Kortepeter specializes in areas such as cyber defense, privacy rights, cyber warfare, and governmental InfoSec policy.

Read Next

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top