A brief reminder that mongodb is insecure out of the box

While running a mongo instance today, I overlooked something pretty stupid and nearly let an attacker into my computer. I had just done a brand new install of mongo and was running the mongod client to do some testing. I left my computer for a bit and returned to the following warning from little snitch: Screenshot 2015-09-03 00.02.20.png

This is exactly what it looks like- mongo had opened itself up publicly on port 27017, straight out of the box. There was no password set, and no remote restrictions. A quick google search shows dozens of mongo instances compromised by this IP address alone. This means full db read-write access at best, and possibly remote code execution at the worst. Obviously this isn’t exclusive to just mongo- people leave default logins on their public servers all the time. But nevertheless, it’s a good reminder not to just assume software is safe straight out of the box.

Stay safe!

 
9
Kudos
 
9
Kudos

Now read this

What It Means To Be a Hacker

I often draw strange looks when I describe myself as a hacker. Most people imagine the pop-culture view of a hacker, tapping away at a terminal and breaking into computers. While I can’t deny having had my fun with this, it is not why I... Continue →