The BBC has uncovered a security flaw in the Huddle office collaboration tool that exposed KPMG and BBC files to unauthorized users.
Huddle, a cloud-based tool (in use at the UK Home Office, Cabinet Office, Revenue & Customs and several branches of the NHS, the BBC reported), bills itself "the global leader in secure content collaboration”. It has fixed the flaw, it said.
The issue was found when a BBC journalist signed in to Huddle to access a shared calendar for his team. But instead of accessing the calendar, he was redirected to a KPMG account that was not his own, where he was presented with full access to private financial documents, including invoices.
When contacted with the problem, Huddle explained that during the sign-in process, the customer's device requests an authorization code. If two people are trying to sign into the same back-end server in the cloud (which Huddle uses to host multiple organizations) within 20 milliseconds of one another, they would both be issued the same authorization code, and signed in to the account of whoever the first person was in that scenario to receive the code—even if the account is at a completely different company.
In a statement, Huddle said the bug had affected "six individual user sessions between March and November this year. With 4.96 million log-ins to Huddle occurring over the same time period, the instances of this bug occurring were extremely rare.”
That said, Huddle also told the BBC that the same flaw led to a third party had accessed one of the BBC's Huddle accounts, for BBC Children's program Hetty Feather, but it said no documents had been opened.
"We wish to clarify to Huddle users that this bug has been fixed, and that we continue to work to ensure such a scenario is not repeated," the company told the BBC. "We are continuing to work with the owners of the accounts that we believe may have been compromised, and apologize to them unreservedly."
Bill Evans, senior director at One Identity, said that the situation gives pause on a few levels.
“It was a bug…a security flaw…from a company that bills itself as a security-minded company, stewards of sensitive and confidential information,” he said, after acknowledging its rarity. “Second, there’s KPMG. The employees of that company were likely simply trying to be more productive. In doing so, they may have posted confidential information to a cloud-based service provider. I wonder if the use of that system was sanctioned by KPMG’s IT or infosec departments, or perhaps this was another example of shadow IT, where the line-of-business people took it upon themselves to find a SaaS solution to a productivity problem.”
He added, “It would be interesting to understand what type of data was on the Huddle site. Was it European citizen data? Would its existence violate the upcoming GDPR regulation? Could KPMG erase specific data elements if a citizen wanted to invoke his/her right to be forgotten? Perhaps we’ll never know.”