Meat! Securtiy Issues

Dear Meat! Team, dear Meat! Community,

Installing Meat on an public ip at the moment is dangerous for your private data, since Meat! hasn’t implemented any firewall setting or closing policy yet.

1.) Open Redis Server
The default redis port is open and fully accessible, so you can query with curl data out from it

2.) Open MongoDB Server
Same here, you actually can get a list of all mongodb databases, for free :smile:

Request: Meat! no one needs my data from outside, please make sure these daemons are only listening on 127.0.0.1 or apply iptables for that

Workaround: While working on a larger VMWare Installation, the firewall is managed from outside (in my case pfsense), so I can block the default ports just form there.

Additional security issue: Everyone, who is familar with Meat!, will know meaturl:8080 is the admin access to your Meat! Instance. There is no option of master password for this area. You will still have the work with firewall and close the ports 8080 + 8443 and open them on demand.

Best Regards
David Steiman

1 Like

@steiman: next week we’re going to release an update that will set a firewall on all ports that shouldn’t be open to the public. We shall add authentication for the admin panel in on the future iterations as well. If you have any other suggestions regarding security and improvements of the service, make sure to let us know at support@getmeat.io

This seems like a bit of a contradiction now;

Is it safe?
Absolutely. Meat! stores your code safe and sound in local repositories secured from external access.

Sorry I couldn’t help myself :smiley:

@Sam: I can assure you we didn’t scheme to plant the VM on HDD’s of all developers in the the world to learn about their most-kept secrets :wink: On a serious note, though, all reports on security issues are our top-priority and are dealt with in emergency mode.