NewsBlur, an RSS news reader app for the web and mobile devices, recently wiped one of its databases thanks to an insecure default that developers have been tracking with Docker since 2014.
In one blog entry Samuel Clay, founder of NewsBlur, shared this week how an unknown vandal used a “Docker footgun” to delete a database from his app’s dockerized MongoDB cluster – something that’s set up to help, so to speak, itself shoot in the foot.
The incident happened while Clay was in the process of moving NewsBlur, which is currently based on PostgreSQL, MongoDB, Redis and Elasticsearch databases, to Docker containers in preparation for a redesign. He moved the app’s MongoDB cluster to the new servers and shut down the original server to delete it after the new setup proved stable.
Clay explains that the Uncomplicated Firewall (uwf) that he activated on his internal servers does not work as expected on a new server due to an insecure Docker standard.
“Helpful?” When I containerized MongoDB, Docker put an allow rule in
iptablesTo open MongoDB to the world, “he explained.” When my firewall was ‘active’, I did
sudo iptables -L | grep 27017 showed that MongoDB is open to the world. “
The exposed database appears to have been discovered and deleted by an automated ransomware script after about three hours. Clay said he was made aware of the disaster when he received an error message from NewsBlur on his phone. It contained “drop” in the error message, the SQL command for the data definition language for dropping databases.
While investigating his MongoDB installation, he found a new empty database called “READ__ME_TO_RECOVER_YOUR_DATA” that contained a request for 0.03 BTC (~ $ 1,094).
Clay had no reason to pay the ransom, however, as he discovered that no data had actually been stolen and he had a backup copy of the deleted database.
Looking through his MongoDB access logs, he could see two connections that occurred right before deleting from a Tor exit node. While some website owners are blocking IP addresses connected to Tor exit nodes, Clay said NewsBlur did not do so to allow people in countries with internet censorship to bypass content restrictions and promote free expression.
The Docker footgun – the installation of Docker on Ubuntu Linux that silently bypasses firewall rules – was made a concern among developers seven years ago. The problem is common enough to have various online posts offer Workaround tips.
The lack of secure default settings is also a problem for various databases. Last year several thousand inadequately secured databases were deleted in a so-called “Miow” attack.
The registry Docker asked why it didn’t implement a more secure standard, but we didn’t hear anything. Docker documentation warns that it manipulates
iptables, the command line utility is used to configure the IP packet filter rule.
We asked Clay the same question, who replied, “Your guess is as good as mine. It’s kind of a trade-off between convenience and safety. Here convenience triumphs.” ®