The BBC has discovered a security flaw in office collaboration tool Huddle, which led to private documents to be exposed to unauthorised parties.
A BBC journalist was inadvertently signed a KPMG account, with full access to private financial documents.
Huddle is an online tool that allows colleagues to work to share content and describes itself as “the global leader in secure content collaboration”.
The company said it had fixed the defect.
Its software is used by Home Office, Cabinet Office, Revenue & Customs, and the different branches of the health service for sharing documents, diaries, and messages.
“If someone is to put yourself out there as a world-class service to look after information for you, should not happen,” said Prof Alan Woodward, from the University of Surrey.
“Huddling contain some very sensitive information.”
In a statement, Huddle said that the bug has hit in six user sessions between March and November of this year.”
“With 4.96 million log-in to Huddle that occur in the same time period, the instances of this bug occurring are extremely rare,” he said.
So as a BBC employee to be redirected to the KPMG account, Huddle said that a third party had access to one of the BBC’s Huddle accounts.
KPMG has not yet responded to the BBC request for comment.How was the defect discovered?
On Wednesday, a BBC correspondent recorded to Rally for access to a shared calendar that his team has continued on the platform.
It was, however, recorded in a KPMG account, with a directory of private documents and invoices, and an address book.
The BBC contacted Huddle to report the problem yet.
The company has also revealed that a third party had access to the Huddle on the BBC Children’s program of Hetty Feather, but he said no documents had been opened.How could this happen?
During the Huddle process to access the client device requires an authorization code.
According to Huddle, if two people arrived on the same login server within 20 milliseconds of one another, they would both be released the same authorization code.
This authorization code for the next step, in which a security token is released, allowing the client to access their Huddle.
From the moment that the User A and the User B have the same authorization code, who is the fastest to request the security token is logged in as User A.How has Huddle dealt with this?
Huddle has now changed its system so that each time it is invoked, it generates a new authorization code.
This ensures that no two people are ever at the same time issued the same code.
“We want to clarify to Rally users that this bug has been fixed, and that we continue to work to ensure such a scenario is not repeated,” the company told the BBC.
“We are continuing to work with the owners of the accounts, which we believe may have been compromised, and we apologize to them unreservedly.”