Huddle
show image

Oscar Williams

News editor

Huddle’s “secure” collaboration tool gave users access to other companies’ documents

Huddle, a collaboration tool used by several government departments, has been accidentally signing users into other companies’ accounts, the BBC has reported.

A BBC journalist was reportedly inadvertently signed into an account belonging to the professional services firm KPMG, granting the employee access to private documents.

The firm behind the software, which is used by the Home Office, Cabinet Office, Revenue and Customs and several divisions of the NHS, say they have fixed the flaw.

A spokesperson also said the incidents were “extremely rare” and only affected six individual users sessions in 4.96 million log-ins between March and November this year.

But security experts have questioned why the vulnerability was allowed to surface in a service marketed as a secure platform for sharing sensitive documents.

Bill Evans, senior director at One Identity, said: “Huddle bills itself as ‘secure document collaboration for teams, enterprise and government organizations’.  That’s great…except the operative word there is secure.  Clearly, as demonstrated by this situation, there is a lack of security.”

But he added that Huddle had been forthcoming regarding the bug and had fixed it: “Moreover, it was clear that this bug was encountered incredibly infrequently.”

Huddle said the security flaw emerged because during the sign in process, the customer’s device asks for an authorisation code.

If two people arrived on the same login server within 20 milliseconds, they would be given the same code. Whoever is fastest in then requesting a security token is logged in as user A, even if they are user B.

The firm patched the bug by generating a new authorisation code for each user.

A Huddle spokesperson told NS Tech that none of the instances represented malicious attempts by one party to access to another party’s data:

“Huddle takes the security of its client data extremely seriously and the owners of any accounts that we believe may have been compromised by this bug have been notified.”