In today’s installment of misconfigured databases, include more than 10 million chat messages from more than 44,000 users on TheTreesNetwork. Chris Vickery, security researcher at Kromtech, writes:
I have information on two different breaches to share today. Coincidentally they both involve sites that show videos to their user base.
The first has to do with TheTreesNetwork.com, a marijuana-enthusiast site where people are invited to casually gather and chat while watching videos that appeal to that target demographic.
On May 8th, I notified the site of their unprotected MongoDB database in an unusual, but certainly effective way. After joining the chat, I wrote “What would you do if I had proof that this site is leaking user details?”. The response from the crowd was basically, “Prove it.” So, I did by posting an Imgur.com link to an image showing an overview of the database (but not the specific IP address or any user details).
An admin was very quick to respond, as I expected. He (or possibly she) fixed the problem in mere minutes. It may have been the world’s fastest incident response.
I’ll post the second incident Chris mentioned in his post later, as I’m still trying to get a bit more information on that one.