Author: edfu777 [AT] hotmail [DOT] com (Nick Farrell) Fudzilla.com – Home
Office collaboration tool was wide open
The BBC discovered a security flaw in the office collaboration tool Huddle that led to private documents being exposed to unauthorised parties.
For those who came in late, Huddle is an online tool that lets work colleagues share content and describes itself as “the global leader in secure content collaboration.”
It has some big clients included the Home Office, Cabinet Office, Revenue & Customs, and several branches of the NHS to share documents, diaries and messages.
Unfortunately, BBC happens to be one of the customers and apparently, a BBC journalist was inadvertently signed in to a KPMG account, with full access to private financial documents.
Huddle said it had fixed the flaw which affected “six individual user sessions between March and November this year”.
“With 4.96 million log-ins to Huddle occurring over the same time period, the instances of this bug occurring were extremely rare,” it said.
Huddle admitted that a third party had accessed one of the BBC’s Huddle accounts.
The problem occurs during the Huddle sign-in process, the customer’s device requests an authorisation code.
According to Huddle, if two people arrived on the same login server within 20 milliseconds of one another, they would both be issued the same authorisation code.
This authorisation code is carried over to the next step, in which a security token is issued, letting the customer access their Huddle.
Since both User A and User B present the same authorisation code, whoever is fastest to request the security token is logged in as User A.
Huddle has now changed its system so that every time it is invoked, it generates a new authorisation code.
Author: AnandTech In the retail PC PSU space, most of the focus on new standards…
Author: Tom's Hardware Per coloro che amano i concorsi a premi, ecco una grande notizia:…
Author: GAMEmag Con una nuova videointervista agli sviluppatori, sfortunatamente pubblicata solo in giapponese, SEGA ha…
Author: Schneider Electric This audio was created using Microsoft Azure Speech Services Olivier Blum –…
Author: IlSoftware Il mercato dei browser Web è attualmente dominato da tre motori di rendering: Blink,…
Author: Hardware Upgrade Meta ha recentemente annunciato un cambiamento significativo nell'etichettatura dei contenuti potenzialmente generati…