Exposed MongoDB databases are being used by Chinese surveillance operatives to store and share data collected from over 364 million profiles on social media sites, with the databases being used to mine social media messages – wide in the open.
The insecure MongoDB databases were discovered by non-profit GDI Foundation security researcher Victor Gevers, who disclosed his findings on Twitter as he also sought community help in identify messaging services connected to the databases.
The find comes just weeks after Gevers also identified an exposed MongoDB database with default credentials for a Chinese nuclear reactor. (Twitter users in the infosec community speculated that this was a honeypot*; it has since been pulled offline).
Gevers wrote on Twitter: “So this social media surveillance program is retrieving (private) messages per province from 6 social platforms and extracts named, ID numbers, ID photos, GPS locations, network information, and all the conversations and file transfers get imported into a large online database.”
MongoDB is a non-relational databases that store documents in flexible, binary representations called BSON (Binary JSON). This means fields can vary from document to document and data structure can be changed over time; as opposed to relational database management system like Oracle’s MySQL, which store data in tables and use structured query language for database access.0.
One of the multiple intelligence feeds showing the distribution of triggered events routed to the police stations identified by numbers. It's a very effective way of spreading the workload from a single source to multiple operators. It will require tremendous work ethics as well pic.twitter.com/JOXus89GPf
MongoDB Database Used on A Daily Basis by Surveillance Operatives
Gevers sought out help on Twitter to help identify the messaging services involved such as one displayed as ‘wxmsg’, which was correctly identified as the Wechat messaging service by other Twitter users.
He found that over 364 million online profiles, the data from their chats and file transfers were being processed through the MongoDB database on a daily basis. These online profiles were then being linked to the identity of an individual. This data was then transferred between police stations in cities and provinces across China.
He added that most of the conversations he viewed within the database appear to be ‘typical teenager conversations’.
He is still unclear how these conversations are being selected for review, as in which trigger words are triggering a manual review by a human. Gevers used a VPN to access the Chinese section of the internet which is controlled by the Chinese state.
On Feb 22, the National Computer Network Emergency Response Technical Team/Coordination Center of China CNCERT published an announcement on their website saying that they have found 468 public MongoDB instances in China so far and they are working with local authorities to get them fixed.