SoylentNews

MongoDB Server Exposes Babysitting App's Database

posted by Fnord666 on Monday August 27 2018, @05:08AM   
from the secure-your-databases dept.

MrPlow writes:

Submitted via IRC for SoyCow4408

The makers of Sitter, a popular app for connecting babysitters with parents, have involuntarily exposed the personal details of over 93,000 users.

The exposure took place last week and was caused by a MongoDB database left exposed on the Internet with no credentials.

Independent security researcher Bob Diachenko discovered the database. He told Bleeping Computer that he spotted the database on August 14, when he immediately reported the issue to the Sitter app makers. The Sitter team secured the database on the same day of the report, Diachenko said.

The database was previously indexed on Shodan, a search engine for Internet-connected devices, a day earlier, on August 13.

Source: https://www.bleepingcomputer.com/news/security/mongodb-server-exposes-babysitting-apps-database/

---

Original Submission

• "involuntarily" ?? "involuntarily" ?? (Score: 3, Interesting) by bradley13 on Monday August 27 2018, @09:38AM (3 children)

  by bradley13 (3053) on Monday August 27 2018, @09:38AM (#726830) Homepage Journal

  "...have involuntarily exposed the personal details of over 93,000 users"

  That's a strange word to use. Involuntarily, like it happened and they could do nothing about it. How about "stupidly", "irresponsibly", or maybe "carelessly"?

  This kind of stuff is just beyond belief. Not only that the database should require credentials to log in; this is presumably the backend for their web service, so the server should refuse external database connections on principle. Security kindergarden here...

  --
  Everyone is somebody else's weirdo.

  Starting Score:	1		point
  Moderation		+1
  Interesting=1, Total=1
  Extra 'Interesting' Modifier		0
  Karma-Bonus Modifier		+1
  Total Score:		3

• Re:"involuntarily" ?? (Score: 2) by c0lo on Monday August 27 2018, @10:25AM

  by c0lo (156) on Monday August 27 2018, @10:25AM (#726841) Journal

  "Involuntarily" as in "I forgot about it". Like in "you don't accuse me I voluntarily forgot, do you?"

    Because they need to show this as "minor mistake, could happen to anyone".
  After all, what's the penalty for private data breaches? Especially when no CC or other financial info was exposed, and especially when our ToS (which consumers agreed with) allows us to sell this data to third parties anyway.

  Does any consumer have a standing if they cannot show evidence of harm?

  _{For this matter, do you have a standing? Cause without any skin in the game, you may be liable of slander calling them 'stupid' and 'irresponsible'.}

  --
  https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford

  Parent

• Re:"involuntarily" ?? (Score: 2) by RS3 on Monday August 27 2018, @02:05PM

  by RS3 (6367) on Monday August 27 2018, @02:05PM (#726894)

  I think they're trying to befuddle by planting a word seed in people's minds.

  The criminal prosecution will use: "negligently".

  Parent

• Re:"involuntarily" ?? (Score: 0) by Anonymous Coward on Monday August 27 2018, @03:06PM

  by Anonymous Coward on Monday August 27 2018, @03:06PM (#726929)

  Not only that the database should require credentials to log in; this is presumably the backend for their web service, so the server should refuse external database connections on principle. Security kindergarden here...

  MongoDB should require credentials to log in, but ... from an article on medium.com:

  MongoDB comes without any default authentication mechanisms. This provides restriction free access to all the users who can access any database or any data within it. This in trun raises security concerns.

  Parent