It has been discovered that 18 MongoDB Databases containing Chinese surveillance data was left accessible on the internet. These databases contained data from several social media services of China which was collected by the Chinese government. This data collection has data such as names, IDs, numbers, photos, conversations (both public and private) alongside GPS location and network info.
Victor Gevers, a security research working for the GDI Foundation, a nonprofit organization, pointed out this issue through a tweet. He said the details of about 364 million profiles are processed on an everyday basis and are synchronized with these 18 MongoDB Databases. This practice of storing such sensitive data on insecure databases was a shocking thing to find.
“Around 364 million online profiles and their chats & file transfers get processed daily. Then these accounts get linked to a real ID/person. The data is then distributed over police stations per city/province to separate operators databases with the same surveillance network name,” said Victor Gevers.
According to Gevers, the data from nearly six social media platforms of China are sent into a single database and then linked to a real person. He published a list with identifiers from the database. Few people reading the Twitter thread pointed out that one identifier among the list belongs to the WeChat application.
It is known that China monitors conversations and social media accounts of its citizens. Gevers pointed out that the law enforcement agencies in manually China monitor 2600 to 2900 messages and profiles. Also, most of the profiles under surveillance seem to belong to teenagers.
While the data collection of its own citizens is in itself worrying, the fact that the databases containing the data under surveillance are left vulnerable and open on the internet is even more troublesome. The operators of these databases could not be identified. Gevers notified the Chinese Government about this vulnerability. Prior to that, it was said only one server was accessible.
“There is no security. It looks like they have NO CLUE what they are doing,” said Gevers.
When such sensitive data is made accessible, there are many damaging repercussions. After this news came out, few people have also pointed out a practice by the Chinese cyber cafes of installing monitoring applications on their computers. There is uncertainty about who handles this surveillance data and what happens to it.