A breach of the MacKeeper security software has left 13 million Apple users vulnerable.
Kromtech, which makes the software, has acknowledged that a flaw exposed the user names, email addresses and other personal information. The security hole was uncovered by security researcher Chris Vickery, who in a fit of boredom searched for "port:27017," a default gateway for database management system MongoDB, on the search engine Shodan.io.
His search returned four different IP addresses associated with Kromtech, each offering unfettered access to customer data without the need for username and password authentication.
"The data was/is publicly available," Vickery wrote on Reddit. "No exploits or vulnerabilities involved. They published it to the open web with no attempt at protection."
The issue was an unknown oversight by Kromtech, which quickly closed the hole. "Analysis of our data storage system shows only one individual gained access performed by the security researcher himself," Kromtech said in a statement. "We have been in communication with Chris and he has not shared or used the data inappropriately."
Fortunately, the company doesn’t collect sensitive personal information from customers, and uses a third party to process payments. But user names and passwords can be used in brute-force attacks on other services down the road.
"Billing information is not transmitted or stored on any of our servers. We do not collect any sensitive personal information of our customers," the company said. "The only customer information we retain are name, products ordered, license information, public IP address and their user credentials such as product specific usernames, password hashes for the customer's web admin account where they can manage subscriptions, support and product licenses."
Tod Beardsley, principal security research manager at Rapid7, said in an emailed comment that the issue highlights a perennial problem that crops up from time to time: the unintentional exposure of MongoDB databases to the Internet.
“MongoDB certainly has plenty of utility and use in many settings, but sadly, direct access over the internet isn't one of them,” he said. “Unlike other database applications like PostgreSQL, Oracle DB, and Microsoft SQL Server, MongoDB does not have authentication and authorization as a significant part of its design history. It is designed, first and foremost, to listen only for connections on ‘localhost,’ that is, the same computer it's being hosted on. The job of authentication, therefore, is up to the operating system and the network administrator.”
Although the more recent versions of MongoDB does have mechanisms for authentication, secure access is “simply not part of its development DNA,” he said.
Network administrators are advised to block the TCP network port 27101 with their usual firewall controls. If developers want to use MongoDB, they need to make sure the work of authentication is being handled appropriately, external to MongoDB, Beardsley added.
Photo © Hadrian/Shutterstock.com