Huddle's 'Highly Secure' Work Tool Exposed KPMG And BBC Files

Chris Foxx, reporting for BBC: The BBC has discovered a security flaw in the office collaboration tool Huddle that led to private documents being exposed to unauthorised parties. A BBC journalist was inadvertently signed in to a KPMG account, with full access to private financial documents. Huddle is an online tool that lets work colleagues share content and describes itself as "the global leader in secure content collaboration." The company said it had fixed the flaw. Its software is used by the Home Office, Cabinet Office, Revenue & Customs, and several branches of the NHS to share documents, diaries and messages. "If somebody is putting themselves out there as a world-class service to look after information for you, it just shouldn't happen," said Prof Alan Woodward, from the University of Surrey. "Huddles contain some very sensitive information."

Why is this even possible?

[ctilsie242]

That just seems odd... 20 milliseconds is a long time when it comes to computers, and having the same "auth code" which can get one user to have another user's token seems like piss-poor design. This never should have been done in the first place.

Re:

[110010001000]

Software like this is usually designed by Millennials who have no concept of doing things right.

Re:

[Anonymous Coward]

I would probably surmise the place did some Scrum methodology, and because of the daily public humiliation at the stand-up meeting, if deliverables were not done, no matter how insane they were, developers took shortcuts in security. Bad security won't affect them, as the legal/PR guys handle it. However, taking time to do things "right" means being excoriated by the Scrum master the next day, or even fired and replaced with a dev who will cough up code for the sprints, no matter how insecure it is.

Re:

[110010001000]

+1 Insightful. They "sprinted" right off the cliff and fell through the Clouds.

Re:

[lewiscr]

I also died that way in King's Quest 1.

Re:

[bluefoxlucid]

How appropriate, as you're pretending to know what you're talking about.

Agile project management is about reducing risks by scheduling things in smaller, more-manageable pieces so you can verify, define, learn from, and build upon them. Turns out people will break down a project into a bunch of definable work packages that have to all be implemented completely before anything "whole" is delivered; so instead, you build whole building blocks, whole features, whole APIs, whole subsystems, etc. to solve par

Re:

[thomn8r]

Found the PMP consultant!

Re:

[140Mandak262Jamuna]

That bullshit will impress idiots with MBAs, not the actual down and dirty coders.

All the Agile evangelists take the same damned line, "Agile, done correctly, will not have these problems". "But.. But these problems exist". "Ah, they are not doing Agile correctly, because, now say it with me, Agile, done correctly, will not have these problems".

I simply say, "Agile can not be done correctly, Agile will not save you money or time or effort".

Instead of hiring qualified coders and good managers, you hir

Re:

[bluefoxlucid]

MBAs are mostly looking at "Agile" and reading "no planning!" Problem: Agile development is heavy on planning--it's still easily 60% of the process. Actual execution makes up less than half of your time.

We've hired plenty of programmers who make shit code. We also hired two programmers who flipped chairs over the horrendous mess their predecessors left and three who were actually useful but also not freaking out. The ones who were writing good code were also lobbying for things like coding standards

Re: Why is this even possible?

[Reverend Green]

Hahaha - get real, broham. No one's fooled anymore.

Re:

[bluefoxlucid]

Just like nobody's fooled anymore about programmers in America with Bachelor's degrees really being any better than programmers in India who started googling PHP functions a few weeks ago, right?

Re: Why is this even possible?

[Reverend Green]

You never met a talented programmer from India? Really?

Re:

[bluefoxlucid]

I've met plenty; just not in the bottom-of-the-barrel $5/day crew that management wants to hire all the time.

Strike that. I've met one who wasn't the world's best programmer but had repeatedly explained to his colleagues not to architect the way they had, and was absolutely correct about the architecture being crap. That's what got me into project management in the first place: that information was available, it was visible; nobody reacted to it. In the end, we fired the contracted programming team--

Re:

[lewiscr]

Agile == pretend we know what we're doing

I prefer to say "Agile == Admit you don't know what you're doing, but you're going to figure it as you go."

Security seems to go with experience, not methodology. There are uncountable examples of poor security, regardless of development styles. There are plenty of examples of good security coming out of Agile shops. Just because there are plenty of inexperienced teams using Agile doesn't mean it's Agile's fault.

Re: Why is this even possible?

[Reverend Green]

Sounds about right. Scrum almost always produces poorly thought out, rushed, and therefore low quality software.

But hey - it's Agile(tm), so when it inevitably sucks, that's because You Weren't Doing Agile Right(tm)!

Re:

[SB5407]

Are you saying that all millennials make buggy software, or are you saying that software like that is usually made by the subset of millennials that don't know how to do things right?

Re:

[Unknown User]

These things keep happening because companies are not really held accountable for their software, not even in security-sensitive domains. They apologize and are then rewarded with additional contracts to fix the issues.

Re:

[FeelGood314]

It's caused by multiple layers of code/tools/frameworks. My guess: What one programmer assumed to be a synchronous function call to get an authorization code turns out to eventually get passed to some sort of inter-process messaging system. The messaging system never had a way to match requests to responses and just passes the last message it gets back.

In my opinion these types of systems, that is ones with multiple layers of frameworks and processes communicating with each other, can't be secure.

encrypted files per user & file keys - failure

[FeelGood314]

Even that doesn't always help. If the system is complicated enough you can still be hacked. Here is a bug we found in one of our systems where the files where encrypted and the process handling the data could only access one particular users data. Also the output of the system could only send an email to the active user. Somewhere in the processing of the data a javascript function was called with the data. In the javascript we were able to redefine one of the functions so that it acted correctly on the

Re:

[Afty0r]

If it's running in Javascript, Kendo UI, it's client-side. Whoever was responsible for the server-side developing ALSO fucked up here - the server should *NOT* have trusted a client input without validating it. If it had been validated on the server, this would have been impossible. When the Kendo Grid returned values, the API or handler should have checked that those values were correct for the logged in user.

You are correct that a myriad of tools/frameworks makes security more difficult, but most comp

As someone here loves saying...

[serviscope_minor]

The cloud is just someone else's servers.

It's amazing how much people trust other people's servers. Some are good: both google ana amazon for example have a good reputation when it comes to the security of the core infrastructure.

But they are large frequently attacked and have been around a while. It's amazing how much trust people will put in a company that simply talks a good game but doesn't really have anything to back that up.

Re:

[bluefoxlucid]

Generally, we're seeing a trend of individual data centers getting hacked. For IAAS and SAAS, we're finding that guy in data center A who had to deal with a security issue is also guy in data center B who hasn't yet, because they're the same guy: the service provider runs stuff for multiple clients.

It's more-efficient. That doesn't mean the service platform itself doesn't sometimes have flaws, or that the new provider won't get hacked to hell; it just means anything that's been running for reasonably-l

Dear Prof Woodward,

[Anonymous Coward]

Anyone that exposes "very sensitive information" to the internet is a fool.
Period
End of Message

Re:

[Anonymous Coward]

Fuck you. Some people have business models that are built around secure information storage and sharing. You need to stop listening to the hype, Chicken Little, and get into the 21st century. Yes, there may be a hiccup here or there but in general the value and convenience of being able to share information ubiquitously far outweighs whatever minor glitch we sometimes run across (and quickly fix). Security can sometimes be a moving target, but with each experience we learn and become better. Someday we

Re:

[HumanWiki]

Anyone that exposes "very sensitive information" to the internet is a fool.
Period
End of Message

So, you don't use any online services at all?

No online banking?
No online payments?
No online shopping?
No online access to your health insurance?

etc.

Every single one of those can and does have very sensitive information in it or passing through it.

Diary = calendar

[FormOfActionBanana]

In British business English, a "diary" is a calendar. Just in case you were wondering why businesspeople were writing their diaries on workplace cloud services.

Et tu ...

[CaptainDork]

... Brute?

Where's Huddles?

[Chris Mattern]

https://www.youtube.com/watch?... [youtube.com]