MacKeeper Leak Highlights Danger of Misconfigured Databases

The Shodan port-scanning service finds at least 35,000 MongoDB databases accessible without a password.

database security

A security researcher gained access to a database holding information on millions of users of the often-criticized MacKeeper Mac OS X utility program, after a simple Internet search highlighted the developer's misconfigured MongoDB server, developer Kromtech acknowledged on Dec. 14.

Researcher Chris Vickery notified the firm after he used the Shodan port-scanning service to find MongoDB servers with unsecured ports. Kromtech's database was among the identified insecure servers. The database stores customers' names, purchased products, license information and user credentials, including hashed passwords, Kromtech stated in a blog post on its MacKeeper site.

Kromtech thanked Vickery for privately disclosing the issue, and locked down the port

"We fixed this error within hours of the discovery," the company said in the alert about the issue. "Analysis of our data storage system shows only one individual gained access … [an act] performed by the security researcher himself."

Vickery searched for the default port used by MondoDB using the Shodan service and then identified the owners of the IP addresses. Shodan regularly scans the Internet for open ports, signs that a program is waiting to communicate with the outside world. Unsophisticated users, or misconfigured servers, can often expose insecure ports to the Internet.

The dead-simple breach highlights the danger posed by databases directly connected to the Internet, among them tens of thousands of MongoDB databases. Anyone knowing the databases' Internet addresses can gain access to more than 680 terabytes of data on 35,000 servers, according to an analysis by Shodan founder John Matherly. Digital Ocean and Amazon host the large numbers of vulnerable MongoDB servers according to the analysis.

Previously, "it looked like the misconfiguration problem might solve itself due to the new defaults that MongoDB started shipping with," he wrote. "That doesn't appear to be the case based on the new information. It could be that users are upgrading their instances but using their existing, insecure configuration files."

Matherly stressed that the misconfiguration issue does not just affect MongoDB servers but also many other types of databases.

Security firm Rapid7, which has found a plethora of insecure devices by scanning the Internet, agreed that database servers should be cordoned off from the Internet. At the very least, administrators should block the communications port used by MongoDB from being accessed from the Internet, Tod Beardsley, security research manager at Rapid7, told eWEEK.

"The lesson is don't expose your databases to the Internet," he said. "There is not a whole lot of utility for it, and I cannot think of any legitimate reason to do it."

Kromtech assured customers that the data exposed by the misconfigured database did not include financial details.

"All customer credit card and payment information is processed by a third party merchant and was never at risk," the company stated. "Billing information is not transmitted or stored on any of our servers."

MacKeeper is a system cleaning and maintenance application that has garnered a great deal of criticism over the years for causing instability and for the developer's marketing tactics. In a previous interview, however, Jeremiah Fowler, a spokesperson for Kromtech, has argued that the product has been the target of smear campaigns.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...