A misconfigured database on the LectureNotes Learning App, a platform for sharing class notes, has exposed more than two million user records, the Cybernews research team has discovered.
In December 2023, the Cybernews research team discovered a misconfigured MongoDB database belonging to LectureNotes. The database was being updated in real-time and exposed the personal and access data of users and app admins.
A total of 2,165,139 user records were compromised, with the leaked data including:
- First and last name
- Encrypted password
- Phone number
- IP address
- Session tokens
- Additionally, some administrators' authorization details were also exposed (IDs and secrets)
LectureNotes is a platform for students, teachers, and institutions to share class notes peer-to-peer, aiming to remove dictation from classrooms. According to Google Play, the app has been downloaded more than half a million times and has 12.9 thousand reviews, averaging 2.5 stars out of 5.
“The exposure of session tokens poses a severe threat, potentially allowing a potential attacker to illicitly access user sessions without requiring passwords. Furthermore, the compromised administrator authorization details, including IDs and secrets, elevate the risk by providing unauthorized access to privileged accounts, possibly leading to malicious activities and unauthorized control over the platform's functionalities,” Cybernews researchers write.
Exposed session tokens could have been re-used to access the user’s session without actually entering the password. Cybernews reported on the new dangers associated with cookies in the hands of cybercriminals.
Cyberattackers could exploit leaked admin credentials to deploy ransomware, conduct phishing attacks, and cause other potentially significant damage.
After the responsible disclosure, the issue was fixed in two days. Cybernews reached out to LectureNotes Technologies for additional comments but did not receive a response before publishing this article.
Misconfiguration is the most probable culprit
Cybernews researchers attribute the leak to a misconfigured MongoDB database that was left public. This situation could have been prevented with proper authentication and access controls.
“The rule of thumb for MongoDB administrators is always to enable authentication and ensure that only authorized users can access the database. Using strong passwords and keyfile authentication improves security,” researchers suggest.
MongoDB default options often lack strong security features, and administrators often overlook this, especially the omission of the `security.authorization: enabled` setting, encryption configurations, or access controls.
Cybernews researchers also recommend implementing monitoring solutions to detect unusual activity or potential security incidents and setting up alerts for suspicious events for rapid response.
MongoDB stores data in a flexible format similar to JSON and is a popular choice as a NoSQL database solution.
Misconfigurations in MongoDB databases led to leaks that exposed a million crypto exchange GokuMarket users, customers at nine crypto exchanges in Russia, 13 million fortune-telling website WeMystic’s users, Dubai’s largest taxi app clients, and others.
More from Cybernews:
Subscribe to our newsletter