COLLABORATION PLATFORM Huddle has been shown to have a security flaw which means that unauthorised parties may get access to things they absolutely shouldn’t.
A BBC reporter was accidentally logged in to a KPMG account and had full access to private financial documents.
The tool is used by government departments including the Home Office, Cabinet Office, HMRC and parts of the NHS.
Huddle said that the bug had affected “six individual user sessions between March and November this year” and had now been fixed.
Apparently, the problem comes when two people land on the same login server within 20 minutes of one another. They get the same authorisation code for two-factor authentication, which means they get issued the same log-in token.
It added, “With 4.96 million log-ins to Huddle occurring over the same time period, the instances of this bug occurring were extremely rare,”
Thing is – “extremely rare” is not “never” and anything less than “never” isn’t anywhere near good enough and when you hear of how simple (though random) the bug is, it’s a miracle that it wasn’t worse, and wasn’t discovered sooner.
Huddle was launched in the UK in 2006 but has gone on to become a tool for organisations worldwide, long before rivals like Slack and Box were doing anything remotely as advanced.
In recent times it has come under increasing pressure from rivals, but not to the extent that this error in an app that claims on its website “trusted by governments and proven in enterprise, Huddle is the global leader in secure document collaboration.” should have been neglected for this long.
The company also acknowledged that a BBC Huddle for the Children’s programme Hetty Feather (no, us neither) had been accessed but that no documents were viewed.
To reiterate, Huddle has now fixed the problem so this should no longer happen, with authentication tokens now offered on a more exclusive basis. µ
Source : Inquirer