A brief reminder that mongodb is insecure out of the box

While running a mongo instance today, I overlooked something pretty stupid and nearly let an attacker into my computer. I had just done a brand new install of mongo and was running the mongod client to do some testing. I left my computer for a bit and returned to the following warning from little snitch: Screenshot 2015-09-03 00.02.20.png

This is exactly what it looks like- mongo had opened itself up publicly on port 27017, straight out of the box. There was no password set, and no remote restrictions. A quick google search shows dozens of mongo instances compromised by this IP address alone. This means full db read-write access at best, and possibly remote code execution at the worst. Obviously this isn’t exclusive to just mongo- people leave default logins on their public servers all the time. But nevertheless, it’s a good reminder not to just assume software is safe straight out of the box.

Stay safe!

 
8
Kudos
 
8
Kudos

Now read this

Programming Is Weakening My Problem-Solving Skills

Since coming to college, my programming has become increasingly focused on contracting and other work related projects. But work has tight deadlines, and unlike personal projects and studies, quick completion time is a necessity. The... Continue →