http://erlend.oftedal.no/blog/?blogid=115
I just read Is 2011 the Year of NoSQL Data Breaches? over at Infosec
Island. The article was really interesting and points out some aspects
of MongoDB which I really don't like. I'm all for NoSQL databases, as
the relational model does not fit well everywhere, so I'm hoping the
MongoDB developers will address these issues pretty soon.
One of the problems the article points out are that a MongoDB user
either has read-only or read-write access to the database, meaning if
you manage to breach a read-write access account, you can access
everything.
The second problem is the authentication, which seems to rely on MD5-
digests, and any security interested developer will tell you not to
rely on MD5 anymore. Also these digests are apparently repeatable,
opening for replay attacks.