Skip to main content

Huddle’s in a muddle as service is hit by truly frightening security bug

Do you use Huddle? The well-known collaboration and project management software suffered from an extremely worrying security hole, according to the BBC – although the issue has now been fixed, you’ll doubtless be pleased to hear.

As the Beeb reports, one of its journalists was using the software and found themselves signed in to a KPMG account, with access to sensitive documents pertaining to the financial heavyweight’s operations.

It doesn’t come more worrying than sensitive financial data being exposed in such a manner, apparently due to a bug in Huddle’s systems. That same flaw also allowed an unnamed third-party to access the BBC’s account.

Huddle told the BBC that this particular bug had affected six user sessions since March of this year. The company noted: “With 4.96 million log-ins to Huddle occurring over the same time period [March to November], the instances of this bug occurring were extremely rare.”

Error code

The actual flaw involved a bug with authorization codes: if two people logged on using the same login server within 20 milliseconds of each other, they were simultaneously issued the same authorization code, and that could lead to a situation where one user was logged onto the other’s account (if they were quicker to request a security token in the next login step).

As mentioned, Huddle has now fixed this problem, ensuring that a fresh code is always generated for every user logging in.

Obviously enough, though, it’s a major concern that such a critical issue was festering in the system for quite some time.

Darren is a freelancer writing news and features for TechRadar (and occasionally T3) across a broad range of computing topics including CPUs, GPUs, various other hardware, VPNs, antivirus and more. He has written about tech for the best part of three decades, and writes books in his spare time (his debut novel - 'I Know What You Did Last Supper' - was published by Hachette UK in 2013).