18 unprotected MongoDB servers expose surveillance data

• The open MongoDB databases contained data that are a part of a Chinese surveillance program.
• The exposed information included online social services related data such as profile names, ID numbers, photos, public and private conversations, file transfers, GPS location, and more.

What is the issue - A security researcher named Victor Gevers uncovered 18 MongoDB servers that are publicly available without password protection.

What was involved - The open MongoDB databases contained data that are a part of a Chinese surveillance program.

The exposed information included online social services related data such as profile names, ID numbers, photos, public and private conversations, file transfers, GPS location, and more.

The big picture

The security researcher noted that account information from six social services platform in China was stored in a large database and was linked to a real person or ID.

Gevers found some identifiers related to the social messaging platforms in the unprotected database collection. He tweeted the identifiers in his account so that his followers could identify the social services.

“Can anyone (from China) identify these Messaging services?

imsg <--...
qg <--...
qqmesg. <-- (link: https://www.imqq.com/) imqq.com
wwmsg <--...
wxmsg <--...
yymsg <--...

In China, they have a surveillance program on social networks which looks like a jerry-rigged PRISM clone of the NSA,” Gevers tweeted.

His followers identified ‘wxmsg’ as WeChat which is a Chinese messaging and social media platform.

Worth noting

Gevers noted that profile data, chats, and file transfers associated with almost 364 million profiles were processed on a daily basis and then distributed over police stations in cities and provinces to unprotected MongoDB servers of operators in 18 locations.

With these databases, local law enforcement manually investigates 2,600 to 2,900 social media profiles and chat conversations. The security researcher noted that one of the intelligence feeds revealed that the distribution of triggered events are directed to the police stations, which are identified by numbers.

However, the operators of these open databases remain unknown. Gevers notified the Internet Service Provider ChinaNet Online about the leaky databases. After which, only one server remained open.

The bottom line - Although tracking users’ chat conversations is a common practice in China, however, storing such sensitive data in unprotected servers accessible by anyone surprised the researcher.

“There is no security. It looks like they have NO CLUE what they are doing,” the security researcher told BleepingComputer.