Sign up for our newsletter - Navigating the horizon of business technology​
Technology / Cybersecurity

Insecure MongoDB Databases Expose Chinese State Surveillance, Nuclear Plant

Exposed MongoDB databases are being used by Chinese surveillance operatives to store and share data collected from over 364 million profiles on social media sites, with the databases being used to mine social media messages – wide in the open.

The insecure MongoDB databases were discovered by non-profit GDI Foundation security researcher Victor Gevers, who disclosed his findings on Twitter as he also sought community help in identify messaging services connected to the databases.

The find comes just weeks after Gevers also identified an exposed MongoDB database with default credentials for a Chinese nuclear reactor. (Twitter users in the infosec community speculated that this was a honeypot*; it has since been pulled offline).

White papers from our partners

Please remove your open MongoDB databases from the internet.
Can you start with the ones of the CGNPC because this stuff should not exist online?

Blocking Shodan & Censys is not going to help if you forget to block ZoomEye.

/cc @cncert Please guide the CGNPC ?

— Victor Gevers (@0xDUDE) February 20, 2019

Gevers wrote on Twitter: “So this social media surveillance program is retrieving (private) messages per province from 6 social platforms and extracts named, ID numbers, ID photos, GPS locations, network information, and all the conversations and file transfers get imported into a large online database.”

MongoDB is a non-relational databases that store documents in flexible, binary representations called BSON (Binary JSON). This means fields can vary from document to document and data structure can be changed over time; as opposed to relational database management system like Oracle’s MySQL, which store data in tables and use structured query language for database access.0.

MongoDB Database Used on A Daily Basis by Surveillance Operatives

Gevers sought out help on Twitter to help identify the messaging services involved such as one displayed as ‘wxmsg’, which was correctly identified as the Wechat messaging service by other Twitter users.

He found that over 364 million online profiles, the data from their chats and file transfers were being processed through the MongoDB database on a daily basis. These online profiles were then being linked to the identity of an individual. This data was then transferred between police stations in cities and provinces across China.

He added that most of the conversations he viewed within the database appear to be ‘typical teenager conversations’.

He is still unclear how these conversations are being selected for review, as in which trigger words are triggering a manual review by a human. Gevers used a VPN to access the Chinese section of the internet which is controlled by the Chinese state.

On Feb 22, the National Computer Network Emergency Response Technical Team/Coordination Center of China CNCERT published an announcement on their website saying that they have found 468 public MongoDB instances in China so far and they are working with local authorities to get them fixed.

See Also: MongoDB Lets Rip at AWS After Amazon’s DocumentDB Launch

*Computer Business Review certainly hopes so… 
This article is from the CBROnline archive: some formatting and images may not be present.

CBR Staff Writer

CBR Online legacy content.