Huddle's 'highly Secure' Work Tool Exposed KPMG And BBC Files
The BBC has discovered a security flaw in the office collaboration tool Huddle that led to private documents being exposed to unauthorised parties.
A BBC journalist was inadvertently signed in to a KPMG account, with full access to private financial documents.
Huddle is an online tool that lets work colleagues share content and describes itself as "the global leader in secure content collaboration".
The company said it had fixed the flaw.
Its software is used by the Home Office, Cabinet Office, Revenue & Customs, and several branches of the NHS to share documents, diaries and messages.
"If somebody is putting themselves out there as a world-class service to look after information for you, it just shouldn't happen," said Prof Alan Woodward, from the University of Surrey.
"Huddles contain some very sensitive information."
In a statement, Huddle said the bug had affected "six individual user sessions between March and November this year".
"With 4.96 million log-ins to Huddle occurring over the same time period, the instances of this bug occurring were extremely rare," it said.
As well as a BBC employee being redirected to the KPMG account, Huddle said a third party had accessed one of the BBC's Huddle accounts.
KPMG has not yet responded to the BBC's request for comment.
How was the flaw discovered?
On Wednesday, a BBC correspondent logged in to Huddle to access a shared diary that his team kept on the platform.
He was instead logged in to a KPMG account, with a directory of private documents and invoices, and an address book.
The BBC contacted Huddle to report the security issue.
The company later disclosed that a third party had accessed the Huddle of BBC Children's programme Hetty Feather, but it said no documents had been opened.
How did this happen?
During the Huddle sign-in process, the customer's device requests an authorisation code.
According to Huddle, if two people arrived on the same login server within 20 milliseconds of one another, they would both be issued the same authorisation code.
This authorisation code is carried over to the next step, in which a security token is issued, letting the customer access their Huddle.
Since both User A and User B present the same authorisation code, whoever is fastest to request the security token is logged in as User A.
How has Huddle addressed this?
Huddle has now changed its system so that every time it is invoked, it generates a new authorisation code.
This ensures no two people are ever simultaneously issued the same code.
"We wish to clarify to Huddle users that this bug has been fixed, and that we continue to work to ensure such a scenario is not repeated," the company told the BBC.
"We are continuing to work with the owners of the accounts that we believe may have been compromised, and apologise to them unreservedly."
From Chip War To Cloud War: The Next Frontier In Global Tech Competition
The global chip war, characterized by intense competition among nations and corporations for supremacy in semiconductor ... Read more
The High Stakes Of Tech Regulation: Security Risks And Market Dynamics
The influence of tech giants in the global economy continues to grow, raising crucial questions about how to balance sec... Read more
The Tyranny Of Instagram Interiors: Why It's Time To Break Free From Algorithm-Driven Aesthetics
Instagram has become a dominant force in shaping interior design trends, offering a seemingly endless stream of inspirat... Read more
The Data Crunch In AI: Strategies For Sustainability
Exploring solutions to the imminent exhaustion of internet data for AI training.As the artificial intelligence (AI) indu... Read more
Google Abandons Four-Year Effort To Remove Cookies From Chrome Browser
After four years of dedicated effort, Google has decided to abandon its plan to remove third-party cookies from its Chro... Read more
LinkedIn Embraces AI And Gamification To Drive User Engagement And Revenue
In an effort to tackle slowing revenue growth and enhance user engagement, LinkedIn is turning to artificial intelligenc... Read more