A backend service open to the world by default?

June 27, 2021, – 100 days to offload countdown #84

This is so crazy, I actually still can’t believe this is true. In 2021.

But let’s start at the begining. I use NewsBlur as news feed aggregator. Maybe I write a few paragraphs about it as part of my 100 writing days. A couple of days ago, the service “got hacked” and “blackmailed”. I set this in quotes, because what really happend is ridiculous.

The service migrated to new infrastructure in some way or another. Part of this migration was a mongodb docker instance. This instance got wiped clean with an attempt to get bitcoins in exchange for the wiped data or something like that. Nothing came of it, a backup was put in place and thats that. But how could the new instance be attacked?

It wasn’t really an oversight, but it wasn’t a skilled black-hat cracker either. In preperation of the migration the local firewall (uwf in this case) was instructed not to accept traffic on the mongodb port. So far so good, but once the docker-container was started, unbeknownst to the person performing the migration, it “helpfully” added a firewall rule to accept traffic on the mongodb-port from everywhere directly at the iptables level, circumventing uwf rules.

This is a known issue. And the real kicker is: They do this intentionally. You have to know about this and activly disable this behaviour. How is this a thing? Why is this not banned and ridiculed the ’net over? I get that docker has to meddle with the system to bind ports etc, but wouldn’t good practice demand that such behaviour as world wide reachability must intentionally be enabled by a user? I would never suspect a widespread tool like docker to behave in such a way 1 – and I’m really glad we don’t use it in production, only to unify development environments 2. If we ever decide to , I know now to be wary and on the lookout for foot-shooters like this.

Footnotes:

1

I guess phps rich history of idiosyncratic behaviour should have been a warning

2

and we don’t use mongodb