Annual Computer Security Applications Conference (ACSAC) 2020

Full Program »

NoSQL Breakdown: A Large-scale Analysis of Misconfigured NoSQL Services

In the last years, NoSQL databases have grown in popularity due to their easy-to-deploy, reliable, and scalable storage mechanism. While most NoSQL services offer access control mechanisms, their default configurations grant access without any form of authentication, resulting in misconfigurations that may expose data to the Internet, as demonstrated by the recent high-profile data leaks.

In this paper, we investigate the usage of the most popular NoSQL databases, focusing on automatically analyzing and discovering misconfigurations that may lead to security and privacy issues. We developed a tool that automatically scans large IP subnets to detect the exposed services and performs security analyses on them, without storing nor exposing any sensitive data. We analyzed 67.725.641 IP addresses between October 2019 and March 2020, spread across several CSP, and found 12.276 misconfigured databases. The risks associated with exposed services range from data leaking, which may pose a significant menace to users' privacy, to data tampering of resources stored in the vulnerable databases, which may pose a relevant threat to a web service reputation. Regarding the last point, we found 742 potentially vulnerable websites linked to misconfigured instances with the write permission enabled to anonymous users.

Dario Ferrari
Politecnico di Milano

Michele Carminati
Politecnico di Milano

Mario Polino
Politecnico di Milano

Stefano Zanero
Politecnico di Milano

Paper (ACM DL)

Slides

Video

 



Powered by OpenConf®
Copyright©2002-2021 Zakon Group LLC