Leaky database server left exposed online is at fault.For the past few weeks, security researcher Chris Vickery has been working on discovering insecure applications and contacting the makers of those apps to have the issues resolved.
One of the applications he found to leak quite a large amount of personal user details is MacKeeeper by Kromtech Alliance.
MacKeeper is the equivalent of an antivirus combined with adware, which many Mac users have come to hate in the past years and have even got so far with their distaste for the app that they’ve collectively sued the developer for showing false warnings about inexistent malware on their Macs.
The “MongoDB default config” issue strikes again
Now, as Mr. Vickery reveals, the company behind the app left a MongoDB server improperly configured, accessible via external connections. This server held information on 13 million MacKeeper users.
The issue is an old one, documented by many security researchers in the past, so Kromtech is solely at fault for the data leak. Apparently, the dev team had used a MongoDB instance without changing its default settings, where the 27017 port was left open for connections via the Internet.
Previous research from this February revealed that about 40,000 MongoDB databases were leaking data in the same way. In July, later in the year, the number went down to 30,000, but companies were still leaking 600 terabytes of data. Even worse, in August, another set of researchers found 1.2 petabytes of data in the same way, but also from Redis, Elasticsearch, and Memcached servers.
When we wrote about these issues, we were contacted by MongoDB representatives that told us that the open port issue was only in very old versions of MongoDB, having been patched well over a year ago. So what this means is that, besides leaving an insecure database online, Kromtech used an older version as well, something that no security expert would ever recommend.
MacKeeper database was secured hours later
When Vickery discovered the flaw, he contacted Kromtech, who fixed the issue right away and issued a press release about the incident, assuring users that, after an internal assessment, it was discovered that only Mr. Vickery accessed the insecure server and nobody else had snooped around on their database.
Kromtech also said that a third-party firm handles credit card data, so at least users were in no serious danger if others had accessed the data.
Using the same technique through which he discovered the insecure MacKeeper database, Mr. Vickery also found a large number of user details leaking from many other apps and services. These are:
→ OkHello – video chat app (2.6 million accounts)
→ Slingo – online gaming site (2.5 million accounts)
→ iFit – fitness app (576,000 accounts)
→ Vixlet – social network (377,000 accounts)
→ California Virtual Academies – online school network (74,000 accounts)
→ Hzone – dating app for HIV patients (5,027 accounts)