The BBC has discovered a security flaw in the office collaboration tool Huddle that led to private documents being exposed to unauthorised parties.
A BBC journalist was inadvertently signed in to a KPMG account, with full access to private financial documents.
Huddle is an online tool that lets work colleagues share content and describes itself as “the global leader in secure content collaboration”.
The company said it had fixed the flaw.
Its software is used by the Home Office, Cabinet Office, Revenue & Customs, and several branches of the NHS to share documents, diaries and messages.
“If somebody is putting themselves out there as a world-class service to look after information for you, it just shouldn’t happen,” said Prof Alan Woodward, from the University of Surrey.
“Huddles contain some very sensitive information.”
In a statement, Huddle said the bug had affected “six individual user sessions between March and November this year”.
“With 4.96 million log-ins to Huddle occurring over the same time period, the instances of this bug occurring were extremely rare,” it said.
As well as a BBC employee being redirected to the KPMG account, Huddle said a third party had accessed one of the BBC’s Huddle accounts.
KPMG has not yet responded to the BBC’s request for comment.
How was the flaw discovered?
On Wednesday, a BBC correspondent logged in to Huddle to access a shared diary that his team kept on the platform.
He was instead logged in to a KPMG account, with a directory of private documents and invoices, and an address book.
The BBC contacted Huddle to report the security issue.
The company later disclosed that a third party had accessed the Huddle of BBC Children’s programme Hetty Feather, but it said no documents had been opened.
How did this happen?
During the Huddle sign-in process, the customer’s device requests an authorisation code.
According to Huddle, if two people arrived on the same login server within 20 milliseconds of one another, they would both be issued the same authorisation code.
This authorisation code is carried over to the next step, in which a security token is issued, letting the customer access their Huddle.
Since both User A and User B present the same authorisation code, whoever is fastest to request the security token is logged in as User A.
How has Huddle addressed this?
Huddle has now changed its system so that every time it is invoked, it generates a new authorisation code.
This ensures no two people are ever simultaneously issued the same code.
“We wish to clarify to Huddle users that this bug has been fixed, and that we continue to work to ensure such a scenario is not repeated,” the company told the BBC.
“We are continuing to work with the owners of the accounts that we believe may have been compromised, and apologise to them unreservedly.”