I just read Is 2011 the Year of NoSQL Data Breaches? over at Infosec Island. The article was really interesting and points out some aspects of MongoDB which I really don't like. I'm all for NoSQL databases, as the relational model does not fit well everywhere, so I'm hoping the MongoDB developers will address these issues pretty soon.
One of the problems the article points out are that a MongoDB user either has read-only or read-write access to the database, meaning if you manage to breach a read-write access account, you can access everything.
The second problem is the authentication, which seems to rely on MD5-digests, and any security interested developer will tell you not to rely on MD5 anymore. Also these digests are apparently repeatable, opening for replay attacks.
Update 2011-03-31: This last bit was discussed over in the mongodb-user group at google. It seems the infosecisland article was wrong about the digest being replayable. There is a nonce involved. (Thanks for the tip, kristofferg)
kristofferg
http://groups.google.com/group/mongodb-user/browse_thread/thread/df9c7182b1351b2b?hl=en#
