Digital delinquent deletes developer's database during disastrous Docker deployment, defaults damned

NewsBlur RSS tracker accidentally left MongoDB store facing public internet during migration to containers


NewsBlur, an RSS news reading app for the web and mobile devices, recently had one of its databases deleted thanks to an insecure default setting that has dogged developers using Docker since 2014.

In a blog post this week, Samuel Clay, founder of NewsBlur, recounted how an unknown vandal deleted a database from his app's dockerized MongoDB cluster using a "Docker footgun" – something setup in a way that promotes shooting oneself in the foot, so to speak.

The incident happened as Clay was in the process of moving NewsBlur, which relies on PostgreSQL, MongoDB, Redis, Elasticsearch databases currently, to Docker containers in preparation for a redesign. He switched the app's MongoDB cluster over to the new servers and shut down the original server, intending to delete it after the new setup proved stable.

Clay explains that the Uncomplicated Firewall (uwf) he enabled on his internal servers didn't work as expected on a new server because of an insecure Docker default.

"When I containerized MongoDB, Docker helpfully inserted an allow rule into iptables, opening up MongoDB to the world," he explained. "So while my firewall was 'active,' doing a sudo iptables -L | grep 27017 showed that MongoDB was open to the world."

The exposed database appears to have been spotted and deleted by an automated ransomware script after about three hours. Clay said he was alerted to the disaster when he received an error message from NewsBlur on his phone. It included "drop" in the error message, the SQL data definition language command for deleting databases.

Upon examining his MongoDB installation, he found a new empty database named "READ__ME_TO_RECOVER_YOUR_DATA" that included a demand for 0.03 BTC (~US$1,094).

Clay had no reason to pay the ransom, however, because he determined no data had actually been stolen and he had a backup of the erased database.

Looking through his MongoDB access logs, he was able to spot two connections that occurred right before the deletion that came from a Tor exit node. While some site owners block IP addresses associated with Tor exit nodes, Clay said NewsBlur has not done so to allow people in internet-censored countries to bypass content restrictions and to promote free speech.

The Docker footgun – installing Docker on Ubuntu Linux that silently bypasses firewall rules – has been a matter of concern among developers for the past seven years. The problem is widely known enough that various online posts offer workaround advice.

Lack of secure defaults is also an issue for various databases. Last year, several thousand inadequately secured databases were deleted in what's been referred to as a "Meow" attack.

The Register asked Docker why it hasn't implemented a more secure default but we've not heard back. Docker's documentation does warn that it manipulates iptables, the command line utility is used for IP packet filtering rule configuration.

We put the same question to Clay, who responded, "Your guess is as good as mine. It’s sort of like the trade off between convenience and security. Here convenience won out." ®

Similar topics


Other stories you might like

Biting the hand that feeds IT © 1998–2021