What is MongoDB Atlas Cloud Data API?
MongoDB Atlas Data API was a cloud-based interface that allowed developers to interact with their MongoDB databases directly using RESTful HTTPS requests. It enabled seamless CRUD (Create, Read, Update, Delete) operations without the need for complex backend logic. This API simplified integration for applications by providing a scalable and efficient way to manage data, making it an attractive choice for developers working with cloud-hosted MongoDB databases.
However, MongoDB has deprecated this API, meaning it is no longer recommended for use in production applications. Organizations using the legacy implementation should transition to more secure alternatives. It is important to note that MongoDB Atlas Functions and Triggers are not deprecated and remain supported. find all deprecation details.
How was Authorization Managed in MongoDB Atlas Data API?
To securely interact with MongoDB Atlas Data API, users had to obtain an authorization token, typically a Bearer token, which was included in API requests for authentication. The token could be generated by:
- Using an API key from the MongoDB Atlas UI with appropriate access roles. (AMZ-API-KEY, etc..)
- Implementing OAuth authentication or JWT-based mechanisms, depending on the application’s security policies.
- Using service authentication methods where predefined credentials allowed API access.
Clarification on MongoDB Atlas Functions Usage
It is important to highlight that the client is using MongoDB Atlas Functions, which are not deprecated. According to MongoDB’s official documentation:
“Triggers Are Not Deprecated. Triggers will continue to be available, and App Services Functions will also continue to be available to use with Triggers.”
While the MongoDB Atlas Data API has been deprecated, Functions remain a supported feature. The vulnerability must be assessed in the context of potential misconfigurations or weak access controls rather than the use of a deprecated service.
Direct Access to MongoDB Atlas Data API – How we found in a recent client engagement
Background
A leading US-based company hired us to perform a holistic security assessment of their production applications and cloud infrastructure.
While testing their application for quick wins, we identified that the application makes a request to the MongoDB Atlast Data API—App Services Functions(which is not deprecated). We quickly captured the request, which contained the Authorization Bearer token, which was granted as soon as the user logged in.
Redacted Request with find operation
POST /api/client/v2.0/app/<db_name>-<random-7-length-string>/functions/call HTTP/2
Host: region.aws.services.cloud.mongodb.com
User-Agent: <User-Agent>
Accept: application/json
Authorization: Bearer <Token>
Content-Type: application/json
{
"name": "find",
"arguments": [
{
"database": "<DB_name>",
"collection": "<Collection_name>",
"document": {
"updatedAt": {"$date": {"$numberLong": "unix-timestamp"}}
}
}
],
"service": "mongodb-atlas"
}After quickly noticing the request, we identified the Javascript file containing keywords that could be potential database and collection names. Since the request already contained the database name, we used the keywords to check if the database contained that collection.
We identified a collection named profile which suggested could be used for users in the application. We then quickly ran a find operation on this collection and the response contained the user profiles in the collection(with no passwords).
We then performed an insertOne function by properly structuring the profile document. We did this by checking the response we got from the /api/me endpoint.
Redacted request with insertOne operation
POST /api/client/v2.0/app/<database-name>-<random-7-length-string>/functions/call HTTP/2
Host: region.aws.services.cloud.mongodb.com
User-Agent: <user-agent>
Accept: application/json
Authorization: Bearer <Token>
Content-Type: application/json
{
"name": "insertOne",
"arguments": [
{
"database": "<database-name>",
"collection": "<collection-name>",
"document": {
"_id": "<username>",
"email": "<email>",
"roles": ["Admin"],
"updatedAt": {"$date": {"$numberLong": "random-unix-time-stamp"}}
}
}
],
"service": "mongodb-atlas"
}We were not surprised to see it working!
Then we also tried deleteOne and no surprises.
Impact of the Vulnerability
- Unauthorized Data Exposure: Attackers could extract sensitive user information, including emails and roles.
- Privilege Escalation: Malicious users could insert, update, or delete user records, leading to privilege abuse.
- Account Takeover: Exposure of sensitive user details could lead to phishing or credential stuffing attacks.
- Data Integrity Risks: The lack of proper backend validation could allow attackers to modify or delete critical business data.
We quickly reported the issue to the client with PentestLive – which helps customer track vulnerabilities in real-time and manage them easily!
Conclusion
By ensuring a proper backend validation mechanism and avoiding direct API exposure, developers can significantly reduce the risk of unauthorized access and data breaches. Since MongoDB Atlas Functions are not deprecated, organizations should focus on implementing stricter access control policies rather than migrating away from this feature.
Strengthen Your Security with Bluefire Redteam
This vulnerability assessment by Bluefire Redteam uncovers critical security flaws in MongoDB Atlas implementations, highlighting the risks of deprecated services and misconfigured API access.
🔥 Why Trust Bluefire Redteam?
- Advanced Penetration Testing – We go beyond automated scans, identifying real-world attack vectors that hackers exploit.
- Deep Cloud & API Security Expertise – Our team specializes in securing cloud environments like MongoDB Atlas, ensuring misconfigurations don’t lead to breaches.
- Red & Purple Team Assessments – We simulate actual cyberattacks and work alongside your security team to fortify defenses.
- Proactive Risk Management – Our continuous security monitoring and PTaaS platform help you stay ahead of threats.
🔐 Don’t Let Vulnerabilities Expose Your Data!
If your MongoDB Atlas configuration is at risk, let Bluefire Redteam secure it before attackers do. Contact us today for a comprehensive security review!