MySQL is the same with bind-address. If someone chooses to expose a db/store to the world, it would be nice if there was some automatic auth enabled. This isn't Mongo-specific, Elasticsearch is the same way.
Agreed. I think it should only work in non-auth mode if you're binding to localhost/loopback but if you go for any other interface it bombs out if auth isn't enabled. Have a flag if you want to override that (if you are doing some other sort of clever auth that the instance can't tell itself), but these defaults are really dumb IMO.
ES did have the same default, but that changed in 2.0. Since then the default is to bind to localhost only. However, ES does not at all provide any authentication without a plugin.
In MySQL you have to change the bind-address but also allow the user to access from any IP (%) in order to access from any IP. Opening the service to the whole web is not enough
True, and hopefully if/when people do that they're not GRANT to '%'@'%' or whatever, but I figure if you're not going to bother to tunnel who knows what other silly things you might do.