Security flaw in Huddle’s online tool exposes KPMG’s financial docs to a third party

Security flaw in Huddle’s online tool exposes KPMG’s financial docs to a third party

Conor data breach

A security flaw in Huddle’s online tool allowed a BBC journalist to access KPMG’s private financial documents, thereby giving rise to questions about the software’s integrity and the firm’s commitment to privacy.

Huddle said the KPMG breach occurred because the same authorisation token was issued to two separate users who signed in within 20 milliseconds of each other.

Last week, a BBC journalist, who signed on to Huddle’s online tool to access a shared diary maintained by his team, stumbled upon sensitive financial documents belonging to KPMG after he was logged in to a KPMG account by Huddle’s online tool.

After being contacted by the BBC, Huddle plugged the security flaw and explained why sensitive documents belonging to a firm were allowed to be accessed by a third party.

According to Huddle, if two different users sign on to its online tool within 20 milliseconds of each other, both of them are issued the same authorisation code. Once they receive authorisation codes, users are required to take such codes to a token issuer who will authenticate the user.

In this case, the BBC journalist was the first to take the authorisation code to the token issuer and was given an authentication token as “User A” and was logged in to KPMG’s secret database. According to Huddle, this will never happen again as this practice has been discontinued in favour of a new protocol wherein every sign-in attempt will be accompanied by a unique authorisation code.

‘With 4.96 million log-ins to Huddle occurring over the same time-period, the instances of this bug occurring were extremely rare. However, Huddle takes the security of its client data extremely seriously and the owners of any accounts that we believe may have been compromised by this bug have been notified,’ said a spokesperson for Huddle.

‘We wish to clarify to Huddle users that this bug has been fixed, and that we continue to work to ensure such a scenario is not repeated. We are continuing to work with the owners of the accounts that we believe may have been compromised, and apologise to them unreservedly,’ he added.

While delivering its clarification, Huddle also admitted that the said security flaw had affected ‘six individual user sessions between March and November this year’. In fact, one of BBC’s accounts on Huddle was also accessed by a third party but no files were stolen.

Copyright Lyonsdown Limited 2021

Top Articles

RockYou2021 data leak: 8.4 billion passwords compromised

A report shows that 100GB of data which includes 8.4 billion passwords have been recently leaked on the internet, people are being encouraged to secure their accounts.

Hackers Breach Electronic Arts & Steal Game Code

Electronic Arts, one of the world's biggest video game publishers including games such as FIFA, Madden, Sims and Medal of Honor, are the latest company to be hacked.

JBS Foods paid £7.7m in ransom to REvil ransomware gang

JBS Foods, the world’s largest processor of beef and poultry products, has admitted to paying a ransom of $11 million to cyber criminals, a week after it announced that operations…

Related Articles

[s2Member-Login login_redirect=”” /]