‘Highly secure’ collaboration app exposed KPMG and BBC files.
Imagine arriving at work, firing up your computer while you grabbed a cup of coffee, and sitting down to check your emails only to find yourself staring at a confusing screen. Instead of your usual email inbox screen, you’re looking at one that just seems “off.” After paying attention for a few seconds, you realize you’re somehow logged into a complete stranger’s email account.
Now imagine that the complete stranger is the Prime Minister, or a top military official, or the CEO of a major tech manufacturing company. The emails in the inbox contain communications about top secret missions or proprietary details of un-launched new products. It might be tempting to mine through the emails for a few minutes, but more than likely you’d hunch your shoulders and expect law enforcement to kick in your office door and haul you away for cybercrimes.
A not-too-far-off scenario of this kind happened to a BBC reporter who innocently logged into a shared Huddle account to get to work one day, only to find themselves logged into a highly-sensitive KPMG auditing and tax firm account instead. Huddle says this glitch has only happened a handful of times, something to basically brush aside considering how many logins a day take place.
But it only takes one unauthorized login to wreak havoc. Even if that person doesn’t meddle with files belonging to the NHS Huddle account or any of the other government accounts, the confidence that users can have in the product begins to wane. At the same time, every announcement of a security flaw is another open door to hackers looking to replicate it.
Interestingly, following the inadvertent login by the reporter, someone managed to access the BBC’s Huddle account and view their shared documents. Depending on the type of news projects and the research involved, that can literally result in life or death backlash against reporters who’ve been working on a breaking story. This means that the flaw–which provides the same two-factor authentication to two different users if they login at nearly the same exact moment–is not quite the small matter that Huddle may believe.