NewsBlur, a personal newsreader, was offline for several hours last week after its database was hacked and wiped clean.
The hacker was able to gain access to the server and temper with the MongoDB database configuration while the server was being transitioned to Docker. This is a known bug when during such transitioning, certain firewall rules are disabled which opens the door to an attack.
According to NewsBlur founder Samuel Clay, within roughly three hours after a hacker broke into NewsBlur, the database was copied and the original one was deleted.
“When I switched to a new MongoDB server, a hacker deleted all of NewsBlur’s mongo data and is now holding NewsBlur’s data hostage. I’m dipping into a backup from a few hours ago and will keep you all updated,” he noted in a message on the NewsBlur main page.
Clay shut down the original MongoDB cluster before transitioning to Docker. This saved it from being destroyed as well. Clay says he immediately started restoring the service from his primary database and managed to get back to normal in about 10 hours.
Clay blames this issue on a change in the UFW firewall introduced by Docker that allowed unauthorized access to the database.
“When I containerized MongoDB, Docker helpfully inserted an allow rule into iptables, opening up MongoDB to the world. So while my firewall was ‘active’, […] MongoDB was open to the world,” Clay explained.
The bug has been around for years, and it requires an administrator to modify the UFW configuration to add specific rules for Docker.