Huddle’s in a muddle as service is hit by truly frightening security bug

Do you use Huddle? The well-known collaboration and project management software suffered from an extremely worrying security hole, according to the BBC – although the issue has now been fixed, you’ll doubtless be pleased to hear.

As the Beeb reports, one of its journalists was using the software and found themselves signed in to a KPMG account, with access to sensitive documents pertaining to the financial heavyweight’s operations.

It doesn’t come more worrying than sensitive financial data being exposed in such a manner, apparently due to a bug in Huddle’s systems. That same flaw also allowed an unnamed third-party to access the BBC’s account.

Huddle told the BBC that this particular bug had affected six user sessions since March of this year. The company noted: “With 4.96 million log-ins to Huddle occurring over the same time period [March to November], the instances of this bug occurring were extremely rare.”

Error code

The actual flaw involved a bug with authorization codes: if two people logged on using the same login server within 20 milliseconds of each other, they were simultaneously issued the same authorization code, and that could lead to a situation where one user was logged onto the other’s account (if they were quicker to request a security token in the next login step).

As mentioned, Huddle has now fixed this problem, ensuring that a fresh code is always generated for every user logging in.

Obviously enough, though, it’s a major concern that such a critical issue was festering in the system for quite some time.