Another MongoDB Hack Leaks Two Million Recordings Of Kids


No surprises here, but there’s been another big MongoDB hack and from the looks of it, it’s been owned for quite some time. This time 2 million records from over 820,000 accounts have been leaked due to yet another default MongoDB installation with no authentication listening on the public IP address.

Another MongoDB Hack Leaks Two Million Recordings Of Kids

The terrible part is, this has been happening for a while, the company has known about it and done nothing to secure it. What I suspect is if they turned auth on, the bears would probably stop working, and they couldn’t do that could they? I imagine they don’t have a firmware push facility built in to the bear.

Two million voice recordings of kids and their families were exposed online and repeatedly held to ransom – because an IoT stuffed-toy maker used an insecure MongoDB installation.

Essentially, the $40 cuddly CloudPets feature builtin microphones and speakers, and connect to the internet via an iOS or Android app on a nearby smartphone or tablet. Families can use the fake animals to exchange voice messages between their children, friends, and relatives.

For example, a parent away on a work trip can open the CloudPets app on their smartphone, record an audio message, and beam it to their kid’s toy via a tablet within Bluetooth range of the gizmo at home; the recording plays when the tyke press a button on the animal’s paw.

Similarly, the youngsters can record messages using the stuffed creature, and send the audio over to their mom, dad, grandparent, and so on, via the internet-connected app.


I suspect this was probably one of the earlier victms of the MongoDB Ransack that was exposed in January, with CloudPets being hit first sometime in December.

And even earlier last year was one of the first big public cases caused by MongoDB – BeautifulPeople.com Leak Exposes 1.1M Extremely Private Records.

These voice clips, along with records of 820,000 CloudPets.com accounts associated with the each of the toys, have been left wide open on the internet, with no password protection – allowing gigabytes of sensitive material to potentially fall into the hands of criminals. And it’s all due to the company’s poorly secured NoSQL database holding 10GB of this internal information.

CloudPets’ internet-facing MongoDB installation, on port 2701 at 45.79.147.159, required no authentication to access, and was repeatedly extorted by miscreants, evidence shows. The database contains links to .WAV files of voice messages hosted in the Amazon AWS S3 cloud, again accessible with no authentication, potentially allowing the mass slurping of more than two million highly personal conversations between families and their little ones.

It appears crooks found the database, presumably by scanning the public ‘net for insecure MongoDB installations, took a copy of all the data, deleted that data on the server, and left a note demanding payment for the safe return of a copy of the database. This happened three times, we’re told. Copies of data lifted from the CloudPets system has been passed between underground hacking groups, too, apparently.

I suspect we’ll see more of these as time goes on, the juicy ones have most likely been kept private for as long as possible to extort maximum value. They will only go public when one of the good guys gets wind of it (with proof). I have some reports of leaks too but I haven’t been able to validate them.

This one is pretty sad though, with kids voice messages being exposed. As a parent I can say I’ll not be allowing any IoT style toys anywhere near my kids, or cloud cameras or anything vaguely similar. If they want to send me a message they can use a Google Hangout or something.

Source: The Register

Posted in: Database Hacking, Exploits/Vulnerabilities

,


Latest Posts:


Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory
Aclpwn.py is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.
Vulhub - Pre-Built Vulnerable Docker Environments For Learning To Hack Vulhub – Pre-Built Vulnerable Docker Environments For Learning To Hack
Vulhub is an open-source collection of pre-built vulnerable docker environments for learning to hack. No pre-existing knowledge of docker is required, just execute two simple commands.
LibInjection - Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) LibInjection – Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS)
LibInjection is a C library to Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) through lexical analysis of real-world Attacks.
Grype - Vulnerability Scanner For Container Images & Filesystems Grype – Vulnerability Scanner For Container Images & Filesystems
Grype is a vulnerability scanner for container images and filesystems with an easy to install binary that supports the packages for most major *nix based OS.
APT-Hunter - Threat Hunting Tool via Windows Event Log APT-Hunter – Threat Hunting Tool via Windows Event Log
APT-Hunter is a threat hunting tool for windows event logs made from the perspective of the purple team mindset to provide detection for APT movements hidden in the sea of windows event logs.


Comments are closed.