This is a security advisory for users who are using MongoDB in their projects.

Recently MongoDB has made the headlines, because malicious hackers were able to remove or ransom a large number of MongoDB databases. Chances are that if you are using  Xill IDE you have also installed MongoDB on your system. While we are not affilliated with MongoDB in any way, we offer this e-mail as an extra service and a reminder to look at your security settings.

What is going on?

MongoDB comes with default settings for development, which make it easy to access. In fact all built-in security is turned off as a default. The tradeoff is that it is also easy to break into the database if you are on the same network. Several hacking groups have now found a way to exploit this vulnerability to break into unsecured MongoDB systems.

What can and should we do?

Before we go into details, check your code. If you are using the Unified Data Model with the Document plugin in Xill IDE, then you cannot use MongoDB authentication. If you are using only the MongoDB plugin then you could enable authentication per database. In both cases we recommend to do at least the following:

  • If you did not install MongoDB, you do not have to act. Relax.
  • If you do have MongoDB and you are using it only for development, please do set your MongoDB to accept only requests from your local machine. Use the net.bindIp setting in your configuration file to bind the ip
  • If you are using MongoDB on a server environment for production purposes, please add only the IP-addresses that you trust using net.bindIp in your configuration file (separate the list by commas).

Please note that MongoDB is just like any other database system in this respect, if you want to use a database for production purposes, you will have to think about security.

For more information on securing MongoDB, see the MongoDB security checklist.