Documentolog Company Addresses Vulnerability in System

Yesterday, August 8, 2018, CARCA - a licensed organization providing pentesting services - published a post on their Facebook page titled «Critical vulnerability found in the Kazakh document management system». 

According to CARCA's statement, a critical vulnerability was discovered in the Documentolog document management system, which allowed access to the business correspondence of all organizations using Documentolog, as well as elevated the attacker's privileges to that of a domain controller administrator.

To clarify the situation, Documentolog's CEO, Baizhan Kanafin, shared his comments regarding the aforementioned statement: 

«CARCA published a sensational headline on their page claiming that they found a vulnerability in our document management system. They imply that since our clients include large state organizations and we are already working with them, we are vying for the role of a state EDS, this cannot happen without someone’s «paw» or «lobbying». Therefore, they believe they have the right to hack us and fight for the safety of the data we hold.

As we learned yesterday, CARCA was hired by one of our clients to analyze the vulnerability of their electronic document management system «Documentolog», which is located in their domain but operates on a SAAS model, meaning it runs on our resources. They were unable to directly hack the system.  By analyzing the requests coming from the system, we found that there were requests from their portal to our internal company portal. This is our internal resource at Documentolog, where the entire company operates.

As a result, they sent an email with embedded executable code from  our client’s domain to our technical support service. Naturally, our service opened this email, and the hackers were able to intercept the session. Thus, they gained temporary access to all documents on our portal that the support staff has access to.  Consequently, they had access to some internal documents used by our technical specialists. This became the main find for the hackers. After obtaining access to these documents, they began using the information to compromise our clients. 

Yesterday, August 7, when our client’s employees informed us about this, we fixed all vulnerabilities within an hour. In particular, we eliminated the possibility of session hijacking, restricted access rights for all employees, and removed documents containing confidential information about our clients from our system.

Undoubtedly, this was very useful information for us, and we were grateful for the identified vulnerabilities; we even considered conducting such tests on a periodic basis. We seem to have agreed to meet with CARCA specialists next week. 

As a result, an hour ago, CARCA decided that they should not miss the chance to promote themselves through cheap PR and published a post that I «shared».   As the head of Documentolog, I can say the following:

• The CARCA specialists were unable to hack the systems of our clients. The main result of their hacking was information from the internal portal of the company, which was simply stored there due to human factors. All identified vulnerabilities regarding our internal portal were immediately addressed, and all access and passwords to our clients' systems were changed on the same day. We will continue to work on this.
• We are a completely private company, not a state one. We have earned every client through our own efforts, without any external pressure. We have been developing our product independently with our own funds for over 10 years, and by now, it is probably one of the most competitive IT products in Kazakhstan. Apparently, our successes are troubling someone, and CARCA may just be a tool. Time will tell. I will keep you updated on what happens. 
• The methods used by CARCA are unethical and, moreover, very harmful to the IT industry in the country. Not only did they act illegally, falling under articles 205, 207, and 208 of the Criminal Code, instead of helping to improve information security, they damaged the reputation of a Kazakhstani development company.  They did not warn the company about the identified vulnerabilities, did not ask them to fix them, and did not even give them time to address them. They simply published them. Moreover, as I later learned, without coordinating with the client who ordered the audit from them. This is how people act who have goals that are not to rectify the situation, but something else, including selfish motives.
• Today, any IT system can be hacked with the right desire and funding. It is important for a company not to stand still and to constantly work on improving its information security system. We do this continuously, so in some ways, such methods have their advantages; they will keep us on our toes. Even large giants like Microsoft and Google constantly find security gaps and update their systems.
• From Documentolog's side, we will be very open about the entire process. And as transparent as possible. Now CARCA is already trying to find justifications for their actions with ridiculous assurances of the nobility of their intentions. But that is not enough for us. We will study their actions and the actions of the client from a legal perspective. We have agreed to issue a joint press release, and we will discuss what exactly will be included. It is important for us to have a rebuttal.»

We reiterate that a detailed report regarding yesterday's situation and the measures taken to address the vulnerability will be published at the earliest opportunity. 

The interview with Kanafin B. was recorded by reporters from mail.kz