For years we have been worrying about whether the apps (or applications) that we use are secure. Now we have to worry about whether the back end servers that our apps talk to are secure.
You may remember that recently hackers discovered thousands of Mongo database servers that had no Admin password and created a form of ransomware – either encrypt the database in place or upload the database and delete all the tables. If you didn’t have good backups (and people that put databases on the Internet with no admin password probably don’t have good backups either) then you got to pay the ransom.
Well researchers, never content to leave bad enough alone, decided if there were thousands of Mongo database servers out there with no password, what else might be out there.
Security vendor Appthority found over 1,000 applications with backend databases that were used by iPhone and Android apps that were not properly secured. And, I am pretty sure, the search was not exhaustive.
The research focused on two open source products – MySQL and ElasticSearch. Open source is not really the issue here; poorly configured software is the issue.
Their analysis found 43 terabytes of unprotected data in 21,000 wide open databases.
They call what they found HospitalGown and it is not a bug. It is merely hackers looking for databases that operations people did not bother to secure. The Mongo database fiasco last December was caused by the default configuration for Mongo not having any security. It required users to change the default install.
Whether that is the case here or not, what is likely just a sample of the whole Internet found 43 terabytes of wide open data.
Appthority did notify both Apple and Google about at least some of the non-secure apps and also notified Amazon for databases that were hosted there.
Still, there are probably tens of thousands – or more – databases out there that are still not protected.
One component of vendor risk management is to look at where your data is hosted, whether your vendors have conducted third party risk assessments and how they ensure your data is protected. I suspect that none of these app developers have done a vendor risk assessment. Have you?
Information for this post came from eWeek.