Slashdot Mirror

← Back to Stories (view on slashdot.org)

Huddle's 'Highly Secure' Work Tool Exposed KPMG And BBC Files (bbc.com)

Posted by msmash on from the security-woes dept.

Chris Foxx, reporting for BBC: The BBC has discovered a security flaw in the office collaboration tool Huddle that led to private documents being exposed to unauthorised parties. A BBC journalist was inadvertently signed in to a KPMG account, with full access to private financial documents. Huddle is an online tool that lets work colleagues share content and describes itself as "the global leader in secure content collaboration." The company said it had fixed the flaw. Its software is used by the Home Office, Cabinet Office, Revenue & Customs, and several branches of the NHS to share documents, diaries and messages. "If somebody is putting themselves out there as a world-class service to look after information for you, it just shouldn't happen," said Prof Alan Woodward, from the University of Surrey. "Huddles contain some very sensitive information."

36 comments

  1. Why is this even possible? by ctilsie242 · · Score: 2

    That just seems odd... 20 milliseconds is a long time when it comes to computers, and having the same "auth code" which can get one user to have another user's token seems like piss-poor design. This never should have been done in the first place.

    1. Re:Why is this even possible? by 110010001000 · · Score: 0

      Software like this is usually designed by Millennials who have no concept of doing things right.

    2. Re:Why is this even possible? by Anonymous Coward · · Score: 1

      I would probably surmise the place did some Scrum methodology, and because of the daily public humiliation at the stand-up meeting, if deliverables were not done, no matter how insane they were, developers took shortcuts in security. Bad security won't affect them, as the legal/PR guys handle it. However, taking time to do things "right" means being excoriated by the Scrum master the next day, or even fired and replaced with a dev who will cough up code for the sprints, no matter how insecure it is.

    3. Re:Why is this even possible? by 110010001000 · · Score: 2, Insightful

      +1 Insightful. They "sprinted" right off the cliff and fell through the Clouds.

    4. Re:Why is this even possible? by Anonymous Coward · · Score: 0

      I would probably surmise the place did some Scrum methodology, and because of the daily public humiliation at the stand-up meeting, if deliverables were not done, no matter how insane they were, developers took shortcuts in security. Bad security won't affect them, as the legal/PR guys handle it. However, taking time to do things "right" means being excoriated by the Scrum master the next day, or even fired and replaced with a dev who will cough up code for the sprints, no matter how insecure it is.

      Agile == pretend we know what we're doing

    5. Re:Why is this even possible? by admin7087 · · Score: 1

      These things keep happening because companies are not really held accountable for their software, not even in security-sensitive domains. They apologize and are then rewarded with additional contracts to fix the issues.

    6. Re:Why is this even possible? by Anonymous Coward · · Score: 0

      Thanks
      http://maes2tro.blogspot.com/
         

    7. Re:Why is this even possible? by FeelGood314 · · Score: 1

      It's caused by multiple layers of code/tools/frameworks. My guess: What one programmer assumed to be a synchronous function call to get an authorization code turns out to eventually get passed to some sort of inter-process messaging system. The messaging system never had a way to match requests to responses and just passes the last message it gets back.

      In my opinion these types of systems, that is ones with multiple layers of frameworks and processes communicating with each other, can't be secure. Unfortunately that attitude got me "let go" from my last security job.

    8. Re:Why is this even possible? by bluefoxlucid · · Score: 1

      How appropriate, as you're pretending to know what you're talking about.

      Agile project management is about reducing risks by scheduling things in smaller, more-manageable pieces so you can verify, define, learn from, and build upon them. Turns out people will break down a project into a bunch of definable work packages that have to all be implemented completely before anything "whole" is delivered; so instead, you build whole building blocks, whole features, whole APIs, whole subsystems, etc. to solve particular problems. That could be a whole authentication API that goes with a whole data management API, and then you can swap out the authentication back-end if needed--as opposed to building the "core library" that's not really done or working or alterable without breaking other things because it's one giant unit with vertically-integrated design.

      Incremental and iterative delivery also let the customer test and validate whatever you deliver, so they can come back and tell you that part isn't right before you build the other 90% to rely on exactly how the broken thing operates. It lets your QA testers have at it, too.

      --
      Support my political activism on Patreon.
    9. Re:Why is this even possible? by Anonymous Coward · · Score: 0

      True, any secure system has encrypted files per user & file keys, so even if a bug gives a file to wrong user, he can not read it. But encryption is bad for the user data monetizing business these cloud companies get their money from.

    10. Re:Why is this even possible? by SB5407 · · Score: 1

      Are you saying that all millennials make buggy software, or are you saying that software like that is usually made by the subset of millennials that don't know how to do things right?

    11. Re:Why is this even possible? by lewiscr · · Score: 1

      I also died that way in King's Quest 1.

    12. Re:Why is this even possible? by thomn8r · · Score: 1

      Found the PMP consultant!

    13. Re:Why is this even possible? by lewiscr · · Score: 2

      Agile == pretend we know what we're doing

      I prefer to say "Agile == Admit you don't know what you're doing, but you're going to figure it as you go."

      Security seems to go with experience, not methodology. There are uncountable examples of poor security, regardless of development styles. There are plenty of examples of good security coming out of Agile shops. Just because there are plenty of inexperienced teams using Agile doesn't mean it's Agile's fault.

    14. Re:Why is this even possible? by 140Mandak262Jamuna · · Score: 2
      That bullshit will impress idiots with MBAs, not the actual down and dirty coders.

      All the Agile evangelists take the same damned line, "Agile, done correctly, will not have these problems". "But.. But these problems exist". "Ah, they are not doing Agile correctly, because, now say it with me, Agile, done correctly, will not have these problems".

      I simply say, "Agile can not be done correctly, Agile will not save you money or time or effort".

      Instead of hiring qualified coders and good managers, you hire scrum masters who promise to make a baby in one month and get nine women pregnant.

      --
      sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    15. Re:Why is this even possible? by bluefoxlucid · · Score: 1

      MBAs are mostly looking at "Agile" and reading "no planning!" Problem: Agile development is heavy on planning--it's still easily 60% of the process. Actual execution makes up less than half of your time.

      We've hired plenty of programmers who make shit code. We also hired two programmers who flipped chairs over the horrendous mess their predecessors left and three who were actually useful but also not freaking out. The ones who were writing good code were also lobbying for things like coding standards, requirements gathering, and scope control. It took a little effort to get them to actually accept project management: they kept asking for PM, but didn't like the PM label--until they got an explanation of what PM is.

      Here's a hint: if you sit down and just start writing code that spits out the expected result, you're probably a bad programmer. If you're plotting out risks like architectural changes, potential reuse of facilities for new features, and expansion of use case to require higher number of users and thus a new back-end architecture (cloud, sharded databases, etc.) before you start coding, you're probably a not-bad programmer. If you think there are any actually good programmers, you haven't quite grasped programming yet. This reasoning applies to many fields--it wasn't until 2013 that the entire field of project management finally accepted that maybe they should consider the particulars of managing people who are impacted in some way by the projects they're managing, because most of us are bureaucratic paper pushers and we need to be people persons.

      --
      Support my political activism on Patreon.
    16. Re: Why is this even possible? by Reverend+Green · · Score: 1

      Sounds about right. Scrum almost always produces poorly thought out, rushed, and therefore low quality software.

      But hey - it's Agile(tm), so when it inevitably sucks, that's because You Weren't Doing Agile Right(tm)!

    17. Re: Why is this even possible? by Reverend+Green · · Score: 1

      Hahaha - get real, broham. No one's fooled anymore.

    18. Re: Why is this even possible? by bluefoxlucid · · Score: 1

      Just like nobody's fooled anymore about programmers in America with Bachelor's degrees really being any better than programmers in India who started googling PHP functions a few weeks ago, right?

      --
      Support my political activism on Patreon.
    19. Re: Why is this even possible? by Reverend+Green · · Score: 1

      You never met a talented programmer from India? Really?

    20. Re: Why is this even possible? by bluefoxlucid · · Score: 1

      I've met plenty; just not in the bottom-of-the-barrel $5/day crew that management wants to hire all the time.

      Strike that. I've met one who wasn't the world's best programmer but had repeatedly explained to his colleagues not to architect the way they had, and was absolutely correct about the architecture being crap. That's what got me into project management in the first place: that information was available, it was visible; nobody reacted to it. In the end, we fired the contracted programming team--years later--and put our own team to work un-fucking the finished product. One of those guys still has a good relationship with us.

      --
      Support my political activism on Patreon.
  2. As someone here loves saying... by serviscope_minor · · Score: 1

    The cloud is just someone else's servers.

    It's amazing how much people trust other people's servers. Some are good: both google ana amazon for example have a good reputation when it comes to the security of the core infrastructure.

    But they are large frequently attacked and have been around a while. It's amazing how much trust people will put in a company that simply talks a good game but doesn't really have anything to back that up.

    --
    SJW n. One who posts facts.
    1. Re:As someone here loves saying... by bluefoxlucid · · Score: 1

      Generally, we're seeing a trend of individual data centers getting hacked. For IAAS and SAAS, we're finding that guy in data center A who had to deal with a security issue is also guy in data center B who hasn't yet, because they're the same guy: the service provider runs stuff for multiple clients.

      It's more-efficient. That doesn't mean the service platform itself doesn't sometimes have flaws, or that the new provider won't get hacked to hell; it just means anything that's been running for reasonably-long (even a small player with a dozen or so clients) is probably more-secure, more-stable, and better managed than whatever you're going to build in-house.

      --
      Support my political activism on Patreon.
  3. Dear Prof Woodward, by Anonymous Coward · · Score: 1

    Anyone that exposes "very sensitive information" to the internet is a fool.
    Period
    End of Message

    1. Re:Dear Prof Woodward, by Anonymous Coward · · Score: 1

      Fuck you. Some people have business models that are built around secure information storage and sharing. You need to stop listening to the hype, Chicken Little, and get into the 21st century. Yes, there may be a hiccup here or there but in general the value and convenience of being able to share information ubiquitously far outweighs whatever minor glitch we sometimes run across (and quickly fix). Security can sometimes be a moving target, but with each experience we learn and become better. Someday we will have the perfect system.
      -Equifax

    2. Re:Dear Prof Woodward, by HumanWiki · · Score: 1

      Anyone that exposes "very sensitive information" to the internet is a fool.
      Period
      End of Message

      So, you don't use any online services at all?

      No online banking?
      No online payments?
      No online shopping?
      No online access to your health insurance?

      etc.

      Every single one of those can and does have very sensitive information in it or passing through it.

  4. As someone here loves saying...networks. by Anonymous Coward · · Score: 0

    Collaboration doesn't imply "clouds" but it does networks.

  5. Diary = calendar by FormOfActionBanana · · Score: 1

    In British business English, a "diary" is a calendar. Just in case you were wondering why businesspeople were writing their diaries on workplace cloud services.

    --
    Take off every 'sig' !!
  6. Et tu ... by CaptainDork · · Score: 1

    ... Brute?

    --
    It little behooves the best of us to comment on the rest of us.
  7. Where's Huddles? by Chris+Mattern · · Score: 1

    https://www.youtube.com/watch?...

  8. encrypted files per user & file keys - failure by FeelGood314 · · Score: 2

    Even that doesn't always help. If the system is complicated enough you can still be hacked. Here is a bug we found in one of our systems where the files where encrypted and the process handling the data could only access one particular users data. Also the output of the system could only send an email to the active user. Somewhere in the processing of the data a javascript function was called with the data. In the javascript we were able to redefine one of the functions so that it acted correctly on the current users data but then stored that users in an array. The malicious user could put this code in their own data. It would then run normally for every other user but when the malicious user data was processed again it would email back everyone's data. The exploit was in a kendo grid framework, five layers removed from the person who did the database securing. I'm 100% sure that we could have found other bugs but this was just an example of why all these fancy layers and tools make security impossible.

  9. Re:encrypted files per user & file keys - fail by Afty0r · · Score: 1

    If it's running in Javascript, Kendo UI, it's client-side. Whoever was responsible for the server-side developing ALSO fucked up here - the server should *NOT* have trusted a client input without validating it. If it had been validated on the server, this would have been impossible. When the Kendo Grid returned values, the API or handler should have checked that those values were correct for the logged in user.

    You are correct that a myriad of tools/frameworks makes security more difficult, but most companies still don't invest in security. It's difficult, not impossible.

  10. Re:encrypted files per user & file keys - fail by Anonymous Coward · · Score: 0

    Even that doesn't always help. If the system is complicated enough you can still be hacked. Here is a bug we found in one of our systems where the files where encrypted and the process handling the data could only access one particular users data. Also the output of the system could only send an email to the active user. Somewhere in the processing of the data a javascript function was called with the data. In the javascript we were able to redefine one of the functions so that it acted correctly on the current users data but then stored that users in an array. The malicious user could put this code in their own data. It would then run normally for every other user but when the malicious user data was processed again it would email back everyone's data. The exploit was in a kendo grid framework, five layers removed from the person who did the database securing. I'm 100% sure that we could have found other bugs but this was just an example of why all these fancy layers and tools make security impossible.

    I found your problem!

  11. KPMG files exposed? Look closely and will likely s by Anonymous Coward · · Score: 0

    Guess we should quickly have a look at those KPMG files... Might contain more damning information of tax evasion and money laundering like The Gupta Leaks emails exposed in South Africa. I know it's a bit of an off topic rant but as I live there I'm pretty incensed at KPMG and their dirty tricks which they pulled for 'President' Jacob Zuma (knobhead of the century).

  12. huddle desktop app session never logs out by Anonymous Coward · · Score: 0

    if you ever access huddle using public computer huddle desktop app it will never end s session even after you reboot your computer
    session cookie is always there

  13. OH NO! by Anonymous Coward · · Score: 0

    There go all my BBC pics :(