Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Security Privacy Technology

Huddle's 'Highly Secure' Work Tool Exposed KPMG And BBC Files (bbc.com) 36

Chris Foxx, reporting for BBC: The BBC has discovered a security flaw in the office collaboration tool Huddle that led to private documents being exposed to unauthorised parties. A BBC journalist was inadvertently signed in to a KPMG account, with full access to private financial documents. Huddle is an online tool that lets work colleagues share content and describes itself as "the global leader in secure content collaboration." The company said it had fixed the flaw. Its software is used by the Home Office, Cabinet Office, Revenue & Customs, and several branches of the NHS to share documents, diaries and messages. "If somebody is putting themselves out there as a world-class service to look after information for you, it just shouldn't happen," said Prof Alan Woodward, from the University of Surrey. "Huddles contain some very sensitive information."

Huddle's 'Highly Secure' Work Tool Exposed KPMG And BBC Files

Comments Filter:
  • by ctilsie242 ( 4841247 ) on Monday November 13, 2017 @12:01PM (#55540841)

    That just seems odd... 20 milliseconds is a long time when it comes to computers, and having the same "auth code" which can get one user to have another user's token seems like piss-poor design. This never should have been done in the first place.

    • Software like this is usually designed by Millennials who have no concept of doing things right.
      • by Anonymous Coward

        I would probably surmise the place did some Scrum methodology, and because of the daily public humiliation at the stand-up meeting, if deliverables were not done, no matter how insane they were, developers took shortcuts in security. Bad security won't affect them, as the legal/PR guys handle it. However, taking time to do things "right" means being excoriated by the Scrum master the next day, or even fired and replaced with a dev who will cough up code for the sprints, no matter how insecure it is.

        • Re: (Score:3, Insightful)

          +1 Insightful. They "sprinted" right off the cliff and fell through the Clouds.
        • Sounds about right. Scrum almost always produces poorly thought out, rushed, and therefore low quality software.

          But hey - it's Agile(tm), so when it inevitably sucks, that's because You Weren't Doing Agile Right(tm)!

      • by SB5407 ( 4372273 )
        Are you saying that all millennials make buggy software, or are you saying that software like that is usually made by the subset of millennials that don't know how to do things right?
    • These things keep happening because companies are not really held accountable for their software, not even in security-sensitive domains. They apologize and are then rewarded with additional contracts to fix the issues.
    • It's caused by multiple layers of code/tools/frameworks. My guess: What one programmer assumed to be a synchronous function call to get an authorization code turns out to eventually get passed to some sort of inter-process messaging system. The messaging system never had a way to match requests to responses and just passes the last message it gets back.

      In my opinion these types of systems, that is ones with multiple layers of frameworks and processes communicating with each other, can't be secure.
  • The cloud is just someone else's servers.

    It's amazing how much people trust other people's servers. Some are good: both google ana amazon for example have a good reputation when it comes to the security of the core infrastructure.

    But they are large frequently attacked and have been around a while. It's amazing how much trust people will put in a company that simply talks a good game but doesn't really have anything to back that up.

    • Generally, we're seeing a trend of individual data centers getting hacked. For IAAS and SAAS, we're finding that guy in data center A who had to deal with a security issue is also guy in data center B who hasn't yet, because they're the same guy: the service provider runs stuff for multiple clients.

      It's more-efficient. That doesn't mean the service platform itself doesn't sometimes have flaws, or that the new provider won't get hacked to hell; it just means anything that's been running for reasonably-l

  • by Anonymous Coward

    Anyone that exposes "very sensitive information" to the internet is a fool.
    Period
    End of Message

    • by Anonymous Coward
      Fuck you. Some people have business models that are built around secure information storage and sharing. You need to stop listening to the hype, Chicken Little, and get into the 21st century. Yes, there may be a hiccup here or there but in general the value and convenience of being able to share information ubiquitously far outweighs whatever minor glitch we sometimes run across (and quickly fix). Security can sometimes be a moving target, but with each experience we learn and become better. Someday we
    • Anyone that exposes "very sensitive information" to the internet is a fool.
      Period
      End of Message

      So, you don't use any online services at all?

      No online banking?
      No online payments?
      No online shopping?
      No online access to your health insurance?

      etc.

      Every single one of those can and does have very sensitive information in it or passing through it.

  • In British business English, a "diary" is a calendar. Just in case you were wondering why businesspeople were writing their diaries on workplace cloud services.

  • ... Brute?

"Being against torture ought to be sort of a multipartisan thing." -- Karl Lehenbauer, as amended by Jeff Daiell, a Libertarian

Working...