Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Parse Server & Parse Dashboard Security #3338

Closed
dhavalyours opened this issue Jan 7, 2017 · 4 comments
Closed

Parse Server & Parse Dashboard Security #3338

dhavalyours opened this issue Jan 7, 2017 · 4 comments

Comments

@dhavalyours
Copy link

Hi,

Our parse hosted mongo setup was hacked similar to bug #3334

This hack was a type of extortion. The entire db was deleted and following message was there in the error logs

insert PLEASE_READ.PLEASE_READ query: { _id: ObjectId('587026363592359314ee86fc'), Info: "Your DB is Backed up at our servers, to restore send 0.1 BTC to the Bitcoin Address then send an email with your server ip", Bitcoin Address: "1J5ADzFv1gx3fsUPUY1AWktuJ6DF9P6hiF", Email: "[email protected]" } ninserted:1 keyUpdates:0 writeConflicts:0 numYields:0 locks:{ Global: { acquireCount: { r: 2, w: 2 } }, MMAPV1Journal: { acquireCount: { w: 8 }, acquireWaitCount: { w: 2 }, timeAcquiringMicros: { w: 81 } }, Database: { acquireCount: { w: 1, W: 1 } }, Collection: { acquireCount: { W: 1 } }, Metadata: { acquireCount: { W: 4 } } } 447ms

This is a serious issue

Since then we have take following security actions on our hosted instance server

  1. Running mongo on different port rather than default port.
  2. Closing public port to access db.
  3. Separate read/write credentials to parse application to use db.
  4. binding mongodb to localhost only.

Is there anything else we can do to secure our mongo instance ?

The current parse setup runs with master key & api key.

If someone might get hold of it they can manipulate the db using parse Apis. Is there any way we can implement additional security to our hosted parse instance ?
@flovilmart
Copy link
Contributor

Look into class level permissions and ACL they are utterly important to prevent unlawful read and writes. Your master key should be private, don't hesitate to rotate it regularly if you believe there was an issue.

After that, all security best practices apply. We recently added password validation etc... to parse-server, you may wanna look into it for securing your private data.

@skinp
Copy link
Contributor

skinp commented Jan 8, 2017

I don't see any mention of auth or TLS in the actions you took. This is definitely something you should consider. Also, have a look at the blog post from Mongo on how to deal with this situation https://www.mongodb.com/blog/post/how-to-avoid-a-malicious-attack-that-ransoms-your-data

@skinp
Copy link
Contributor

skinp commented Jan 8, 2017

One thought I had about the data, maybe the hackers didn't drop the oplog? If it's the case, you might be able to get some data back. Have a look in local.oplog.rs...
Even if the oplog hasn't been cleared, it won't be easy to recover from it (it's pretty technical and I can't help with that) but at least it's something that might be useful...

@RodrigoBertotti
Copy link

thanks for share

@parseplatformorg parseplatformorg mentioned this issue Sep 10, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@flovilmart @skinp @dhavalyours @RodrigoBertotti