Confidential KPMG documents accessed because of security flaw with sign in process
Cloud-based collaboration software developer Huddle is at the centre of a security scare, after supposedly private documents were exposed to unauthorised parties.
The BBC reported that one of its journalists had inadvertently signed in to a KPMG account, and gained full access to private financial documents.
The security flaw has now been fixed, but its accidental discovery is sure to raise concerns among its customer base.
The software from the London-based firm allows work colleagues to share information online. It is widely used by the British government including the Home Office, Cabinet Office, Revenue & Customs, and parts of the NHS.
Huddle has also expanded into the United States where it is said to be used by the Department of Homeland Security Science and Technology Directorate (DHS S&T), and the National Geospatial-Intelligence Agency (NGA).
The BBC explained how one of its correspondent last Wednesday logged in to Huddle to access a shared diary that his team kept on the platform.
The BBC man was instead logged in to a KPMG account, with a directory of private documents and invoices, and an address book.
The BBC then contacted Huddle to report the security issue, and the firm later confirmed that in addition to this flaw, a third party had accessed one of the BBC’s Huddle accounts, namely the Huddle of BBC Children’s programme Hetty Feather.
However it said that no BBC documents had been opened.
The fault it seems was to do with Huddle’s Sign In process.
Essentially it seems that during the Huddle sign-in process, the customer’s device requests an authorisation code.
But if two people land on the same login server within 20 milliseconds of one another, they would both be issued the same authorisation code. This authorisation code is carried to the next step, in which a security token is issued, letting the customer access their Huddle.
But becuase both User A and User B present the same authorisation code, whoever is fastest to request the security token is logged in as User A.
“On the 8th November 2017, Huddle was alerted by one of its users to a potential security bug,” the firm told Silicon UK in an emailed statement.
“Under certain circumstances it was found that when logging in to Huddle, a user may inadvertently be granted access to content outside of their account permissions,” the firm said. “On discovery, the bug was immediately patched, and a full investigation launched.”
“Huddle has discovered that this bug impacted six individual user sessions between March and November this year. With 4.96 million log-ins to Huddle occurring over the same time-period, the instances of this bug occurring were extremely rare. However, Huddle takes the security of its client data extremely seriously and the owners of any accounts that we believe may have been compromised by this bug have been notified.
“While this is an unfortunate, and concerning issue, in no way were any of the instances a malicious attempt by one party to gain access to another party’s data,” it said. “In all cases, users were unwittingly directed to an incorrect Huddle Workspace.”
Huddle said it was continuing to work with the owners of the accounts that it believes may have been compromised, and it issued an unreserved apology to them.
“We wish to clarify to Huddle users that this bug has been fixed, and that we continue to work to ensure such a scenario is not repeated,” the firm told Silicon UK.
Quiz: Are you a privacy expert?