A flaw has been discovered in the collaboration tool Huddle that is believed to have left private company documents able to be viewed by unauthorised persons.
What is Huddle?
Huddle is cloud-based and ‘secure’ software system for collaborative work, file sharing and project management. It can be accessed through mobile and desktop apps, and can be integrated with enterprise tools such as Microsoft Office, Google Apps for Work, SharePoint and Salesforce.com.
Used By Government Agencies
What makes this recent discovery more worrying and embarrassing is the fact Huddle publicly claim that more than 80% of UK Central Government agencies use the Huddle system and that it has administrative, technical and physical safeguards, and yet a simple login flaw appears to have exposed clients to potentially serious security risks.
The security flaw is reported to have been discovered by a journalist who tried to log in and access a shared diary for their team, but was instead logged in to a KPMG account, and was able to view a directory of private documents and invoices, and an address book.
Huddle also discovered later that an unauthorised person (unknown) had accessed the Huddle of BBC Children's programme Hetty Feather, but had not opened any of the private documents.
Huddle’s reported explanation of the problem is that because two users arrived at the login server within 20 milliseconds of each other they were both given the same authorisation code. This duplicate code was then carried to the security token process, and whoever was fastest to request the security token was logged in to the system, and was therefore able to see another company’s files.
A statement from Huddle appeared to play down the seriousness of the discovery by pointing out that the bug had only affected six sessions out of 4.96 million log-ins between March and November.
Huddle users will be relieved to hear that Huddle has now fixed the bug by making sure that a new authorisation code is generated every time the system is invoked.
What Does This Mean For Your Business?
The important point for businesses to take away from this story is that even trusted, popular, market leading 3rd party systems are likely to have some undiscovered bugs in them - no system is perfect, and the chances of them being discovered and exploited are very small. It is also a good (and lucky) thing that a responsible person (the journalist) discovered and reported the bug so that it has now been fixed.
Critics, however, have highlighted the fact that it is surprising and worrying that a global leader in secure content collaboration that is supposed to offer a world-class service, and publicises how its system is trusted with sensitive government information could have its system so easily compromised, without the need for any hacking or illegal activity.
For the companies whose details have been accessed, it’s unlikely to be the rarity of such an event that concerns them, but more the fact that they trusted a 3rd party with their company security, and have suffered a potentially damaging breach as a result. It is also likely to damage trust in the Huddle service, raise questions about how rare such an event really is, and tempt some companies to switch suppliers, or to perhaps to use the system for less sensitive projects.