MacKeeper: MongoDB Database MisConfiguration Leaves 13 Million Users Vulnerable

December 16, 2015 Updated: December 16, 2015

The user information for up to 13 million users of MacKeeper could be vulnerable due to a misconfiguration of a popular database software by the makers of the Mackeeper software, Kromtech.

MacKeeper, which touts itself as a security software, but has been widely panned as “scareware,” apparently saved user data in a popular open-source database software called MongoDB, but the default configuration of the server running this database was open to public access, and potentially anyone could have gotten access to Kromtech’s entire user database by running a few simple commands.

The security loophole, found by security research Chris Vickery, who published the details on his blog, led to Kromtech patching the hole within hours of the blog post. Kromtech said that it believed that the database had not been accessed by anyone else, saying, “analysis of our data storage system shows only one individual gained access performed by the security researcher himself.”

Vickery said that he used an online tool called Shodan to access the MongoDB database and collect the user information from the unsecured website. Following up on Vickery’s post, John Matherly, founder of Shodan, said that MacKeeper was only one of the many examples of poor database security configurations, and his team’s report pointed to “at least 35,000 publicly available, unauthenticated instances of MongoDB running on the Internet”, which were exposing in total 684.8 terabytes of data. Matherly went on to point out that other popular open-source databases such as “Redis, CouchDB, Cassandra and Riak are equally impacted by these sorts of misconfigurations.”

Ironically, Mackeeper has been criticized for using what some called a heavy-handed marketing campaign to get users to download and purchase its products. It was the target of a class-action lawsuit that accused the company of false advertising to get users to use their software. The suit claimed it often baited users into thinking their Mac computers were infected through well-placed ads.