Panoptic

28/12/2025

You trust your database to keep your data safe. MongoDB just proved it doesn't. 87,000 servers are leaking memory to anyone who asks. 😏

December 2025. CVE-2025-14847, rated CVSS 8.7, nicknamed "MongoBleed" because it works exactly like Heartbleed did eleven years ago.

Zlib compression is enabled by default in MongoDB. When a compressed message arrives, the server reads a header claiming how large the data will be after decompression. MongoDB allocates that amount of memory, decompresses the payload, and sends back the response.

The code returned the full buffer size instead of the actual data length. Send a packet claiming to be 1000 bytes when it's really 100, and MongoDB sends back all 1000 bytes. The extra 900 bytes contain whatever was in memory from previous operations.

What leaks:
→ Cleartext passwords and credentials
→ Session tokens and API keys
→ Customer data and PII
→ Database configs and system info
→ Docker paths and client IP addresses

The attack happens before authentication. No login needed. If an attacker can reach port 27017, they can start extracting memory immediately.

Researchers tested the public exploit and pulled over 8,700 bytes of data in 42 fragments from a single scan. A proof-of-concept is already on GitHub. According to Wiz, 42% of cloud environments have at least one vulnerable instance, and exploitation is already happening in the wild.

How to detect an attack:
When a MongoDB driver connects, it always sends metadata to identify itself. The driver name, version, operating system. The MongoBleed exploit skips this completely. It connects, grabs memory, and disconnects without ever saying what it is.

The difference is obvious in the logs. Normal traffic runs at 1-3 connections per minute with 99-100% sending metadata. During testing, the exploit generated 111,000+ connections per minute with 0% metadata. If you see an IP making thousands of connections without identifying itself, that's your red flag.

Using MongoDB Atlas? Your clusters auto-upgrade, so you should be protected. Check that the upgrade already happened.

The fix was one line of code. Changing "return {output.length()};" to "return length;". One line, sitting wrong in every MongoDB version since 3.6.

Affected versions:
→ MongoDB 3.6.x, 4.0.x, 4.2.x (all versions)
→ MongoDB 4.4.0 through 4.4.29
→ MongoDB 5.0.0 through 5.0.31
→ MongoDB 6.0.0 through 6.0.26
→ MongoDB 7.0.0 through 7.0.27
→ MongoDB 8.0.0 through 8.0.16
→ MongoDB 8.2.0 through 8.2.2

Check if you're running a vulnerable version:
→ Run "mongod --version"
→ Anything between 3.6 and 8.2.2 needs updating

Fixed versions: 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, 4.4.30

Can't patch immediately? Disable zlib compression by setting networkMessageCompressors to exclude zlib. Use snappy or zstd instead. But patch as soon as possible.

Heartbleed taught this lesson in 2014. Eleven years later, 87,000 servers are still making the same mistake.

Want to learn how attackers find and exploit vulnerable systems? I cover reconnaissance, pe*******on testing, and real-world exploitation techniques in my ethical hacking course:

→ https://www.udemy.com/course/ethical-hacking-complete-course-zero-to-expert/?couponCode=FEBRUARY26
(The link supports me directly as your instructor!)

Hacking is not a hobby but a way of life. 🎯



Research & writing: Jolanda de Koff | HackingPassion.com
Sharing is fine. Copying without credit is not.

20/12/2025

If you're a WhatsApp user, be on the lookout for attacks like this:

> You get a message from someone you know. "Hey, I just found your photo!" with a link that looks like Facebook. You click it. A page asks you to "verify" before viewing the photo. You enter your phone number. You get a code. You type it into WhatsApp.
>
> Done. The attacker now has full access to your account.

For a detailed explanation on how the attack works behind the scenes, read the post shared below.

3 billion WhatsApp users. No password stolen. No malware installed. Yet criminals get full access to your account. 😏 GhostPairing. Discovered December 15, 2025 by Gen Digital (Norton, Avast, AVG).

You get a message from someone you know. "Hey, I just found your photo!" with a link that looks like Facebook. You click it. A page asks you to "verify" before viewing the photo. You enter your phone number. You get a code. You type it into WhatsApp.

Done. The attacker now has full access to your account.

Behind the scenes:
→ The fake page forwards your number to WhatsApp's legitimate device linking feature
→ WhatsApp sends YOU the pairing code
→ The fake page tells you to enter it "for verification"
→ You just linked the attacker's browser as a trusted device
→ They now see everything. Every message. Every photo. Every voice note.

The attack uses domains like:
→ photobox[.]life
→ yourphoto[.]life
→ fotoface[.]top
→ photopost[.]live

All designed to look like Facebook photo viewers.

The scary part? Your phone keeps working normally. You have no idea someone else is reading your conversations. The attacker stays invisible until you manually check your linked devices.

And it spreads fast. Once they have your account, they send the same "found your photo" message to YOUR contacts, your family, and your friends.

When I saw this, I remembered this technique is not entirely new. Gen Digital gave it a name, but the method has been documented before. This same device-linking trick has been used since at least 2023. Microsoft and Google point to Russian state actors, but attribution in cyber is always tricky. In January 2025, Microsoft caught Star Blizzard (also known as COLDRIVER) doing the same thing to WhatsApp accounts through fake group invites.

The attack works because people don't read prompts and trust messages from contacts.

No hacking tools needed. No technical skills required. Just social engineering using the app's own features against you.

How to check:
1. Open WhatsApp
2. Go to Settings → Linked Devices
3. See something you don't recognize?
4. Log it out immediately

Enable Two-Step Verification while you're there. It won't stop this attack directly, but it adds another security layer.

The lesson? That "verification code" you enter without thinking could be handing your entire digital life to a stranger.

Read prompts. Question unexpected requests. Even from people you trust.

Want to understand social engineering attacks like this in depth? I cover phishing, social engineering, and real attack scenarios in my ethical hacking course:
→ https://www.udemy.com/course/ethical-hacking-complete-course-zero-to-expert/?couponCode=FEBRUARY26
(The link supports me directly as your instructor!)

Hacking is not a hobby but a way of life. 🎯



Research & writing: Jolanda de Koff | Hackingpassion.com
Sharing is fine. Copying without credit is not.

20/12/2025

Which one would you choose?

You’ve just checked into your hotel and three WiFi networks pop up:​
A) Hotel_Guest_WiFi​
B) HotelGuest_WiFi​
C) Hotel_Free_WiFi​
Which one do you connect to?​
Tip: Always be cautious with “Free WiFi” networks - they’re often unsecured and can be a hacker’s playground. Stick to official, password-protected networks provided by the hotel (ask the front desk to confirm the correct one).​
Bonus Tip:​
Use a VPN when using public WiFi to keep your data and passwords safe from prying eyes.​

29/08/2023

If you're a user of Notepad++, you are at risk:

https://securitylab.github.com/advisories/GHSL-2023-092_Notepad__/

tl;dr: A specially crafted malicious file when opened by Notepad++ may be able to execute arbitrary code on the victim's computer, without any further interaction, aside from opening the malicious file.

Be careful taking candy from strangers.

Multiple memory safety violations in Notepad++ opening a crafted file.

11/09/2022

For a newly launched product, how do you prefer to calculate ?

There's lots of ways to calculate LTV for subscription-based businesses, but I've been studying two in particular.

The first is very simple:

LTV = (Customer Value x Average Customer Lifespan)

Where Average Customer Lifespan = (1 / Average Churn Rate)

While this is very straightforward to calculate IF you have the correct Average Customer Lifespan, which for a new SaaS product, you're estimating/projecting, _AND_ if your Churn Rate is uniform over time, which for many SaaS products probably isn't the case.

In my experience, customer churn numbers after month 1 follows a power law distribution like `y = nx^k`, where `k < 0`. I suppose if you calculate the Average Churn Rate over the first N months, it might be good enough for a rough approximation of LTV.

The second approach involves a lot more data analysis.

I group customers into cohorts by signup month, then calculate the actual churn numbers by month, and use curve fitting to predict the future churn numbers.

Using only 6 months of data, this gets me `R^2 > 0.83`, which is good enough for this exercise. `R^2 > 0.88` if I use 9 months of data.

I then apply the Kaplan-Meier estimator to calculate survival rate using my actual and estimated churn counts.

Then, to calculate LTV for each cohort:

LTV = Sum over time of (Survival Rate x Value)

I've seen some calculations that include a Discount Rate to account for Net Present Value and network effects of longer-lived subscribers, but since this is also another wild-ass guess, I chose to ignore it for now.

What I found super interesting is, between the two approaches, the LTV I calculated using the first approach compared to the projected first year LTV using the second approach yielded results that only differed by 0.59%.

The first approach, using an educated guess for Average Churn Rate, took a minute or two to compute.

I suppose the time it took to measure and calculate the churn rate to be able to come up with an approximation for the Average Churn Rate took some time, but that pre-work was already done.

But, this approach definitely relies on luck to choose the right Average Churn Rate number. If I had chosen a value that was just +/- 2.5% different, that would have given results that would have differed by +16.2% or -17.0%, respectively. My educated guess was incredibly lucky, and I wouldn't have known how lucky if I hadn't done the deeper cohort-based analysis.

The second approach took a bunch of hours of segmenting customers into cohorts, then tabulating their actual churn histories, then the curve fitting, then setting up the model to calculate the LTV for each cohort, and so on.

However, the outcome of this more thorough analysis is that it's more closely dependent on the actual data and not on my ability to correctly guesstimate a value that is used in the calculation.

Got any questions? Comment 👇️ below!

25/10/2021

A critical Discourse remote code ex*****on (RCE) vulnerability tracked as CVE-2021-41163 was fixed via an urgent update by the developer on Friday