Previous: Feature Friday for Gerbil
28 September 2021
Well, I guess I should have seen this one coming - spacepaste, my little experiment in building interactive services over gemini, uses mongodb to store its data. It is a "pastebin" type service, so it just stores user pastes in a dumb document-store kind of way. Since I set it up as a quick proof of concept, and no sensitive information is stored anywhere, I didn't think to change the defaults for the database setup. Lo and behold, we've been *hacked*!
A fine upstanding netizen has wiggled its way into the mongodb document store, dropped all collections, and left a grammatically questionable ransom note/blackmail message demanding 0.02BTC (about 800 USD).
"All your data is backed up", starts the message stored in a new collection. We're given 48 hours to comply, so the pressure is on! But hold on, we're not just being ransomed our data- there's blackmail too!
"In case of refusal to pay, we will contact the General Protection Regulation, GDPR, and notify them that you store user data in an open form", ah now we're told if we don't pay them, we'll pay the European authorities a hefty fine for allowing our data to leak!
The message ends with instructions to email the criminal mastermind once payment is made, so the database can be recovered. Sweet.
So what happens next? Obviously no payment is being made - there were a couple of test records in the database, and their loss will not be felt by anyone. But I am curious what will happen with the threats made - Will they publish the leaked data as promised? Will I find a series of "test paste" records somewhere tomorrow? How about that GDPR threat, will they make good on that? Somehow I doubt it. Once the bluff has been called, I'm guessing the scammer is moving on to the next victim.
A valuable lesson learned here is that no matter how obscure your little application, how small and insignificant your database, some miscreant will try to get in there and take advantage of you. Always, even for a small experiment, take a moment to ensure basic security measures are in place so automatic port scanning scripts will not walz in there and wreak havoc. Spacepaste is still online, and starting with a clean slate, the leak plugged.