A security flaw in Huddle’s online tool allowed a BBC journalist to access KPMG’s private financial documents, thereby giving rise to questions about the software’s integrity and the firm’s commitment to privacy.
Huddle said the KPMG breach occurred because the same authorisation token was issued to two separate users who signed in within 20 milliseconds of each other.
Last week, a BBC journalist, who signed on to Huddle’s online tool to access a shared diary maintained by his team, stumbled upon sensitive financial documents belonging to KPMG after he was logged in to a KPMG account by Huddle’s online tool.
After being contacted by the BBC, Huddle plugged the security flaw and explained why sensitive documents belonging to a firm were allowed to be accessed by a third party.
According to Huddle, if two different users sign on to its online tool within 20 milliseconds of each other, both of them are issued the same authorisation code. Once they receive authorisation codes, users are required to take such codes to a token issuer who will authenticate the user.
In this case, the BBC journalist was the first to take the authorisation code to the token issuer and was given an authentication token as “User A” and was logged in to KPMG’s secret database. According to Huddle, this will never happen again as this practice has been discontinued in favour of a new protocol wherein every sign-in attempt will be accompanied by a unique authorisation code.
‘With 4.96 million log-ins to Huddle occurring over the same time-period, the instances of this bug occurring were extremely rare. However, Huddle takes the security of its client data extremely seriously and the owners of any accounts that we believe may have been compromised by this bug have been notified,’ said a spokesperson for Huddle.
‘We wish to clarify to Huddle users that this bug has been fixed, and that we continue to work to ensure such a scenario is not repeated. We are continuing to work with the owners of the accounts that we believe may have been compromised, and apologise to them unreservedly,’ he added.
While delivering its clarification, Huddle also admitted that the said security flaw had affected ‘six individual user sessions between March and November this year’. In fact, one of BBC’s accounts on Huddle was also accessed by a third party but no files were stolen.