[BreachExchange] ABBYY woes: Doc-reading software firm leaves thousands of scans blowing in wind

[Destry Winant]

https://www.theregister.co.uk/2018/08/29/abbyy_aws_database_open_snafu/

Document-reading software flinger ABBYY exposed more than 203,000
customer documents as the result of a MongoDB server misconfiguration.

The AWS-hosted MongoDB server was accidentally left publicly
accessible and contained 142GB of scanned documents including over
200,000 scanned contracts, memos, letters and other sensitive files
dating back to 2012. No username or password would have been needed to
access this sensitive info before the hole was plugged.

Independent security researcher Bob Diachenko discovered the breach
and alerted the software vendor. The data dump was discovered through
Shodan, the machine data search engine, while Diachenko was
investigating whether measures had been taken to avert MongoDB
ransomware attacks, a particular problem last year.

ABBYY responded by blocking public access to the insecure system,
allowing Diachenko to go public about his findings.

"Questions still remain as [to] how long it has been left without
password/login, who else got access to it and would they notify their
customers of the incident," Diachenko wrote in a LinkedIn post related
to the breach.

The name of the particular ABBYY client whose data was exposed has not
been disclosed. ABBYY admitted the breach, which it described as a
"one-off", but said it had been resolved and had no impact on its
various cloud-based services. The affected client was informed about
the breach, which did not result in the disclosure of data to hackers,
ABBYY said.

Last week, we were notified of a vulnerability affecting one of our
MongoDB servers. MongoDB database software is widely used by
enterprises. As soon as we got the email, we locked external access to
the database, notified the impacted party, and took a full corrective
security review of our infrastructure, processes, and procedures.

Our detailed investigation has shown that:

- Only one client was affected. Said client has been notified, and all
the necessary corrective measures have been taken.
- No data was lost to an unknown party during the exposure.
- The system is in a fully secure state.

Most importantly, this is a one-off incident and doesn't compromise
any other services, products or clients of the company. There is no
relationship with or impact to CloudOCRSDK.com, FlexiCapture.com or
any of our global cloud offerings. Additionally, no impact to any
FlexiCapture or FineReader solution sold or promoted by ABBYY (cloud
or on-premise).

We thank the research community for pointing out the vulnerability.
The issue has been addressed and corrected. We are and will be taking
all and any steps necessary to make sure it does not happen again.

MongoDB comes with security features as well as advice for
administrators on how to secure systems. Default configuration of
older versions of the database work without password access.
Misconfigured MongoDB servers remain a common cause of security
problems, and infosec watchers are unimpressed that ABBYY failed to
heed the lessons of similar breaches.

"Victims of hacks associated with MongoDB have included the likes of
Verizon, 'elite' dating website BeautifulPeople, and 31 million users
of an Android keyboard app," said industry veteran Graham Cluley in a
post on the TripWire security blog.

"In this day and age, connecting a naked, unsecured MongoDB instance
directly onto the internet can only be described as reckless and
inexcusable. The security issue is well known, and the means to
protect against it is well-documented."