Can’t speak for them, but I would say those services will be fine since they tend to use the most up to date version of MongoDB and have a very specific setup (ie. not the defaults that were the issue). @alimgafar
In this case the vulnerability is particular to the latest versions (or rather, not the software itself but the defaults it ships with), but yeah, I would think that the setup details of a normal hosted db would preclude this problem with the defaults.
The vulnerability comes into play when people setup mongo on open ports with no authentication. Like anything else you either need to only allow local access or have auth enabled with strong passwords.
True, they’re are others out there though. When I first started using elasticsearch they didn’t even have authentication at all. I find it funny that we’re having this discussion about secure defaults on the Meteor forum page when it itself has insecure defaults (insecure & autopublish package).
That said, the lack of firewalls is the part that really makes me cringe.
It would depend on what the hosting service has installed (prebuilt binaries, compiled from source) and what additional steps they’ve taken to ensure the service is production-ready. MongoDB publishes a basic security checklist in their online security manual and Andreas Nilsson wrote a pretty comprehensive post on security best practices, with links to ancillary resources.
If you’re concerned about the security of your hosted MongoDB instance, I would send a copy of the checklist to your hosting provider and demand that they confirm that they comply with the recommendations in the checklist. Better yet, it would be far more comforting if they would publish an audit that demonstrates they meet or go above and beyond the recommendations in the checklist.
It’s difficult to ever know if a service truly complies or simply gives lip service. In this case, you could try to confirm for yourself by using Shodan, WireShark, an http browser, port scanner, or some other tools to see if you can find and gain access to your database.