Huddle lets in outsiders

Office collaboration tool was wide open

The BBC discovered a security flaw in the office collaboration tool Huddle that led to private documents being exposed to unauthorised parties.

For those who came in late, Huddle is an online tool that lets work colleagues share content and describes itself as “the global leader in secure content collaboration.”

It has some big clients included the Home Office, Cabinet Office, Revenue & Customs, and several branches of the NHS to share documents, diaries and messages.

Unfortunately, BBC happens to be one of the customers and apparently, a BBC journalist was inadvertently signed in to a KPMG account, with full access to private financial documents.

Huddle said it had fixed the flaw which affected “six individual user sessions between March and November this year”.

“With 4.96 million log-ins to Huddle occurring over the same time period, the instances of this bug occurring were extremely rare,” it said.

Huddle admitted that a third party had accessed one of the BBC’s Huddle accounts.

The problem occurs during the Huddle sign-in process, the customer’s device requests an authorisation code.

According to Huddle, if two people arrived on the same login server within 20 milliseconds of one another, they would both be issued the same authorisation code.

This authorisation code is carried over to the next step, in which a security token is issued, letting the customer access their Huddle.

Since both User A and User B present the same authorisation code, whoever is fastest to request the security token is logged in as User A.

Huddle has now changed its system so that every time it is invoked, it generates a new authorisation code.