Hi everyone,
Recently I looked at a cool new Meteor project of a friend and I noticed that a lot of user and application data was openly transmitted by using Meteor’s DDP (Distributed Data Protocol). After some research I discovered that even user data that I would consider to be sensitive (email adresses, full names, access tokens, …) is publicly available.
I also checked a few other public Meteor projects and some of them are also very “open” about their user and application data.
Now I’m not sure if every Meteor developer is aware about how easy their collection data can be accessed.
To raise awareness and to help developers to quickly audit and test their projects I wrote a command line utility that allows you to dump Meteor collections.
The utility allows you capture all collections that a Meteor server sends out by default or to subscribe to specific Meteor collections (e.g. users, settings). The resulting data is exported as JSON and can be merged into one file or split into separate files.
Project repository: https://github.com/hxseven/ddp-dump
I hope this is useful to some of you.
P.S.: This is my first public node project, so feedback is appreciated :))
Cheers,
Jonas