Parse Server & Parse Dashboard Security #3338
Description
Hi,
Our parse hosted mongo setup was hacked similar to bug #3334
This hack was a type of extortion. The entire db was deleted and following message was there in the error logs
insert PLEASE_READ.PLEASE_READ query: { _id: ObjectId('587026363592359314ee86fc'), Info: "Your DB is Backed up at our servers, to restore send 0.1 BTC to the Bitcoin Address then send an email with your server ip", Bitcoin Address: "1J5ADzFv1gx3fsUPUY1AWktuJ6DF9P6hiF", Email: "[email protected]" } ninserted:1 keyUpdates:0 writeConflicts:0 numYields:0 locks:{ Global: { acquireCount: { r: 2, w: 2 } }, MMAPV1Journal: { acquireCount: { w: 8 }, acquireWaitCount: { w: 2 }, timeAcquiringMicros: { w: 81 } }, Database: { acquireCount: { w: 1, W: 1 } }, Collection: { acquireCount: { W: 1 } }, Metadata: { acquireCount: { W: 4 } } } 447ms
This is a serious issue
Since then we have take following security actions on our hosted instance server
- Running mongo on different port rather than default port.
- Closing public port to access db.
- Separate read/write credentials to parse application to use db.
- binding mongodb to localhost only.
Is there anything else we can do to secure our mongo instance ?
The current parse setup runs with master key & api key.
If someone might get hold of it they can manipulate the db using parse Apis. Is there any way we can implement additional security to our hosted parse instance ?