Slashdot Mirror

← Back to Stories (view on slashdot.org)

Huddle's 'Highly Secure' Work Tool Exposed KPMG And BBC Files (bbc.com)

Posted by msmash on from the security-woes dept.

Chris Foxx, reporting for BBC: The BBC has discovered a security flaw in the office collaboration tool Huddle that led to private documents being exposed to unauthorised parties. A BBC journalist was inadvertently signed in to a KPMG account, with full access to private financial documents. Huddle is an online tool that lets work colleagues share content and describes itself as "the global leader in secure content collaboration." The company said it had fixed the flaw. Its software is used by the Home Office, Cabinet Office, Revenue & Customs, and several branches of the NHS to share documents, diaries and messages. "If somebody is putting themselves out there as a world-class service to look after information for you, it just shouldn't happen," said Prof Alan Woodward, from the University of Surrey. "Huddles contain some very sensitive information."

5 of 36 comments (clear)

  1. Why is this even possible? by ctilsie242 · · Score: 2

    That just seems odd... 20 milliseconds is a long time when it comes to computers, and having the same "auth code" which can get one user to have another user's token seems like piss-poor design. This never should have been done in the first place.

    1. Re:Why is this even possible? by 110010001000 · · Score: 2, Insightful

      +1 Insightful. They "sprinted" right off the cliff and fell through the Clouds.

    2. Re:Why is this even possible? by lewiscr · · Score: 2

      Agile == pretend we know what we're doing

      I prefer to say "Agile == Admit you don't know what you're doing, but you're going to figure it as you go."

      Security seems to go with experience, not methodology. There are uncountable examples of poor security, regardless of development styles. There are plenty of examples of good security coming out of Agile shops. Just because there are plenty of inexperienced teams using Agile doesn't mean it's Agile's fault.

    3. Re:Why is this even possible? by 140Mandak262Jamuna · · Score: 2
      That bullshit will impress idiots with MBAs, not the actual down and dirty coders.

      All the Agile evangelists take the same damned line, "Agile, done correctly, will not have these problems". "But.. But these problems exist". "Ah, they are not doing Agile correctly, because, now say it with me, Agile, done correctly, will not have these problems".

      I simply say, "Agile can not be done correctly, Agile will not save you money or time or effort".

      Instead of hiring qualified coders and good managers, you hire scrum masters who promise to make a baby in one month and get nine women pregnant.

      --
      sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  2. encrypted files per user & file keys - failure by FeelGood314 · · Score: 2

    Even that doesn't always help. If the system is complicated enough you can still be hacked. Here is a bug we found in one of our systems where the files where encrypted and the process handling the data could only access one particular users data. Also the output of the system could only send an email to the active user. Somewhere in the processing of the data a javascript function was called with the data. In the javascript we were able to redefine one of the functions so that it acted correctly on the current users data but then stored that users in an array. The malicious user could put this code in their own data. It would then run normally for every other user but when the malicious user data was processed again it would email back everyone's data. The exploit was in a kendo grid framework, five layers removed from the person who did the database securing. I'm 100% sure that we could have found other bugs but this was just an example of why all these fancy layers and tools make security impossible.