DDP-Dump - A utility to audit and dump collections of any Meteor server


#1

Hi everyone,

Recently I looked at a cool new Meteor project of a friend and I noticed that a lot of user and application data was openly transmitted by using Meteor’s DDP (Distributed Data Protocol). After some research I discovered that even user data that I would consider to be sensitive (email adresses, full names, access tokens, …) is publicly available.

I also checked a few other public Meteor projects and some of them are also very “open” about their user and application data.

Now I’m not sure if every Meteor developer is aware about how easy their collection data can be accessed.
To raise awareness and to help developers to quickly audit and test their projects I wrote a command line utility that allows you to dump Meteor collections.

The utility allows you capture all collections that a Meteor server sends out by default or to subscribe to specific Meteor collections (e.g. users, settings). The resulting data is exported as JSON and can be merged into one file or split into separate files.

Project repository: https://github.com/hxseven/ddp-dump

I hope this is useful to some of you.

P.S.: This is my first public node project, so feedback is appreciated :))

Cheers,
Jonas


#2

Additional hint:
To find the websocket URL of your Meteor project open the Chrome / Firefox developer tools and go to the Network tab. Then go to the WebSockets tab in Chrome or Other tab in Firefox to see the Websocket / DDP connection details including your WebSocket URL. In Chrome you can also see all transmitted Websocket messages (Frames tab) including the subscribe commands (msg: sub) that your client-side JS emits. (Maybe this is also possible in Firefox, but I rarely use FF so I don’t know how to see the messages there).