Security flaw in Huddle’s online tool exposes KPMG’s financial docs to a third party

Security flaw in Huddle’s online tool exposes KPMG’s financial docs to a third party

Conor data breach

A security flaw in Huddle’s online tool allowed a BBC journalist to access KPMG’s private financial documents, thereby giving rise to questions about the software’s integrity and the firm’s commitment to privacy.

Huddle said the KPMG breach occurred because the same authorisation token was issued to two separate users who signed in within 20 milliseconds of each other.

Last week, a BBC journalist, who signed on to Huddle’s online tool to access a shared diary maintained by his team, stumbled upon sensitive financial documents belonging to KPMG after he was logged in to a KPMG account by Huddle’s online tool.

After being contacted by the BBC, Huddle plugged the security flaw and explained why sensitive documents belonging to a firm were allowed to be accessed by a third party.

According to Huddle, if two different users sign on to its online tool within 20 milliseconds of each other, both of them are issued the same authorisation code. Once they receive authorisation codes, users are required to take such codes to a token issuer who will authenticate the user.

In this case, the BBC journalist was the first to take the authorisation code to the token issuer and was given an authentication token as “User A” and was logged in to KPMG’s secret database. According to Huddle, this will never happen again as this practice has been discontinued in favour of a new protocol wherein every sign-in attempt will be accompanied by a unique authorisation code.

‘With 4.96 million log-ins to Huddle occurring over the same time-period, the instances of this bug occurring were extremely rare. However, Huddle takes the security of its client data extremely seriously and the owners of any accounts that we believe may have been compromised by this bug have been notified,’ said a spokesperson for Huddle.

‘We wish to clarify to Huddle users that this bug has been fixed, and that we continue to work to ensure such a scenario is not repeated. We are continuing to work with the owners of the accounts that we believe may have been compromised, and apologise to them unreservedly,’ he added.

While delivering its clarification, Huddle also admitted that the said security flaw had affected ‘six individual user sessions between March and November this year’. In fact, one of BBC’s accounts on Huddle was also accessed by a third party but no files were stolen.

Copyright Lyonsdown Limited 2021

Top Articles

Top 6 Mobile App-Related Data Breaches

Smartphones are a prevalent feature in modern life. With more than three billion smartphone users around the world, who downloaded over 200 billion apps in 2019, it comes as no…

Cyber-security blind spots in PaaS and IaaS environments

Research finds that 100% of companies experienced a security incident, but continue to expand their footprint

Popping the hood on deep learning

Now that cyber-criminals have learned how to compromise machine learning defences, deep learning provides a way forward for security teams

Related Articles

[s2Member-Login login_redirect=”” /]