Another family tracking app with a massive data leak
-
[Tech Chrunch](https://techcrunch.com/2019/03/23/family-tracking-location-leak/):
The app, Family Locator, built by Australia-based software house React Apps, allows families to track each other in real-time, such as spouses or parents wanting to know where their children are. It also lets users set up geofenced alerts to send a notification when a family member enters or leaves a certain location, such as school or work. But the backend MongoDB database was left unprotected and accessible by anyone who knew where to look. ... None of the data was encrypted.
None of this fail is a surprise either. :doh: One thing I'm wondering about though. We virtually never see stories about OtherNoSqlDatabase or AnySqlDatabase being left wide open on the internet and megapwnd, it's always Mongo. Is there something specific about Mongo that makes it particularly prone to this sort of fail?
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, weighing all things in the balance of reason? Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful? --Zachris Topelius Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies. -- Sarah Hoyt
-
[Tech Chrunch](https://techcrunch.com/2019/03/23/family-tracking-location-leak/):
The app, Family Locator, built by Australia-based software house React Apps, allows families to track each other in real-time, such as spouses or parents wanting to know where their children are. It also lets users set up geofenced alerts to send a notification when a family member enters or leaves a certain location, such as school or work. But the backend MongoDB database was left unprotected and accessible by anyone who knew where to look. ... None of the data was encrypted.
None of this fail is a surprise either. :doh: One thing I'm wondering about though. We virtually never see stories about OtherNoSqlDatabase or AnySqlDatabase being left wide open on the internet and megapwnd, it's always Mongo. Is there something specific about Mongo that makes it particularly prone to this sort of fail?
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, weighing all things in the balance of reason? Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful? --Zachris Topelius Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies. -- Sarah Hoyt
Well let's hear it from Mongo himself: Blazing Saddles - Mongo - YouTube[^] :-\
-
[Tech Chrunch](https://techcrunch.com/2019/03/23/family-tracking-location-leak/):
The app, Family Locator, built by Australia-based software house React Apps, allows families to track each other in real-time, such as spouses or parents wanting to know where their children are. It also lets users set up geofenced alerts to send a notification when a family member enters or leaves a certain location, such as school or work. But the backend MongoDB database was left unprotected and accessible by anyone who knew where to look. ... None of the data was encrypted.
None of this fail is a surprise either. :doh: One thing I'm wondering about though. We virtually never see stories about OtherNoSqlDatabase or AnySqlDatabase being left wide open on the internet and megapwnd, it's always Mongo. Is there something specific about Mongo that makes it particularly prone to this sort of fail?
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, weighing all things in the balance of reason? Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful? --Zachris Topelius Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies. -- Sarah Hoyt
MongoDB is the most popular NoSQL technology, and it's marketed to beginners and amateurs more than other NoSQL technologies are. If an inexperienced developer botches security, they probably do it with technology that's common among inexperienced developers.
-
[Tech Chrunch](https://techcrunch.com/2019/03/23/family-tracking-location-leak/):
The app, Family Locator, built by Australia-based software house React Apps, allows families to track each other in real-time, such as spouses or parents wanting to know where their children are. It also lets users set up geofenced alerts to send a notification when a family member enters or leaves a certain location, such as school or work. But the backend MongoDB database was left unprotected and accessible by anyone who knew where to look. ... None of the data was encrypted.
None of this fail is a surprise either. :doh: One thing I'm wondering about though. We virtually never see stories about OtherNoSqlDatabase or AnySqlDatabase being left wide open on the internet and megapwnd, it's always Mongo. Is there something specific about Mongo that makes it particularly prone to this sort of fail?
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, weighing all things in the balance of reason? Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful? --Zachris Topelius Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies. -- Sarah Hoyt
For the same reason PHP pages are the most vulnerable to attacks and software written in Visual Basic usually sucks. Give monkeys dangerous tools, get zillions of injured.
GCS d--(d+) s-/++ a C++++ U+++ P- L+@ E-- W++ N+ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t+ 5? X R+++ tv-- b+(+++) DI+++ D++ G e++ h--- r+++ y+++* Weapons extension: ma- k++ F+2 X
-
[Tech Chrunch](https://techcrunch.com/2019/03/23/family-tracking-location-leak/):
The app, Family Locator, built by Australia-based software house React Apps, allows families to track each other in real-time, such as spouses or parents wanting to know where their children are. It also lets users set up geofenced alerts to send a notification when a family member enters or leaves a certain location, such as school or work. But the backend MongoDB database was left unprotected and accessible by anyone who knew where to look. ... None of the data was encrypted.
None of this fail is a surprise either. :doh: One thing I'm wondering about though. We virtually never see stories about OtherNoSqlDatabase or AnySqlDatabase being left wide open on the internet and megapwnd, it's always Mongo. Is there something specific about Mongo that makes it particularly prone to this sort of fail?
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, weighing all things in the balance of reason? Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful? --Zachris Topelius Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies. -- Sarah Hoyt
-
MongoDB is the most popular NoSQL technology, and it's marketed to beginners and amateurs more than other NoSQL technologies are. If an inexperienced developer botches security, they probably do it with technology that's common among inexperienced developers.
Then why don't we see a similar number of mysql databases left wide open to the internet? It's the default backend to the most popular language among the clueless, PHP, but those sites are almost always pwnd via the webserver not by directly siphoning the database.
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, weighing all things in the balance of reason? Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful? --Zachris Topelius Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies. -- Sarah Hoyt
-
Then why don't we see a similar number of mysql databases left wide open to the internet? It's the default backend to the most popular language among the clueless, PHP, but those sites are almost always pwnd via the webserver not by directly siphoning the database.
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, weighing all things in the balance of reason? Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful? --Zachris Topelius Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies. -- Sarah Hoyt
The MySQL team has had a lot more time to idiot-proof their default installations and beginner guides, while the MongoDB team is still focusing on other things first. Read the following article for its side notes (which reveal insights into MongoDB's development): https://www.defmacro.org/2017/01/18/why-rethinkdb-failed.html In any case, (whether you like it or not) a few security disasters won't slow down MongoDB adoption, but slowing down development to handle random things (such as idiot-proofing the product) can have large negative impacts on adoption rates.
-
[Tech Chrunch](https://techcrunch.com/2019/03/23/family-tracking-location-leak/):
The app, Family Locator, built by Australia-based software house React Apps, allows families to track each other in real-time, such as spouses or parents wanting to know where their children are. It also lets users set up geofenced alerts to send a notification when a family member enters or leaves a certain location, such as school or work. But the backend MongoDB database was left unprotected and accessible by anyone who knew where to look. ... None of the data was encrypted.
None of this fail is a surprise either. :doh: One thing I'm wondering about though. We virtually never see stories about OtherNoSqlDatabase or AnySqlDatabase being left wide open on the internet and megapwnd, it's always Mongo. Is there something specific about Mongo that makes it particularly prone to this sort of fail?
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, weighing all things in the balance of reason? Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful? --Zachris Topelius Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies. -- Sarah Hoyt
It's the VB thing -- there's nothing actually wrong with it except the skill level of most of its users.
I wanna be a eunuchs developer! Pass me a bread knife!
-
[Tech Chrunch](https://techcrunch.com/2019/03/23/family-tracking-location-leak/):
The app, Family Locator, built by Australia-based software house React Apps, allows families to track each other in real-time, such as spouses or parents wanting to know where their children are. It also lets users set up geofenced alerts to send a notification when a family member enters or leaves a certain location, such as school or work. But the backend MongoDB database was left unprotected and accessible by anyone who knew where to look. ... None of the data was encrypted.
None of this fail is a surprise either. :doh: One thing I'm wondering about though. We virtually never see stories about OtherNoSqlDatabase or AnySqlDatabase being left wide open on the internet and megapwnd, it's always Mongo. Is there something specific about Mongo that makes it particularly prone to this sort of fail?
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, weighing all things in the balance of reason? Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful? --Zachris Topelius Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies. -- Sarah Hoyt
The point I find shocking is not the "massive data leak". It is the dystopian world where everyone needs to know about others' location in real time.
Oh sanctissimi Wilhelmus, Theodorus, et Fredericus!