This attack uses public write access, which is how they can delete stuff. I think we can agree that this is not good, and I also think we can agree that a database shouldn't be exposed as-is without an application layer or API on top
Ultimately, companies like MongoDB and Elasticsearch are culpable for selling database technology that is insecure by default, presumably because that's the easiest way to boost their metrics for the VC overlords.
online databases that can be written and deleted by anyone on the internet are no good at all. The data can't be trusted. Of course no welfare for you! All I do is to replace all the names with my name and I can take all the welfare in the whole country! Or for example, doing a search for names and replacing all female names with male names ... how can you trust a database like that?
Making decisions based on a writable database (to the world, and not just from data sources like census, etc) is utterly useless.
Facebook, Twitter, or even Mediawiki, don't permit any random IP address full database access. (Or had better not.)
Rather, for the first two, large numbers of agents may request access limited to a specific account, with limited capabilities granted.
Even Mediawiki, with an extraordinarily open access model (painfully so in most cases) has checks on extensive abuse, and gradations of permissions.
Suggesting that any of these are comparable to full DBA access as the Meow attack (with considerable merits0 targets suggests an exceeding poor grasp of distinctions or misreading of GP's comment.
