Huddle Security Flaw Allowed Unauthorized Access

Rengar

Level 17
Thread author
Verified
Top Poster
Well-known
Jan 6, 2017
835
‘Highly secure’ collaboration app exposed KPMG and BBC files.
Imagine arriving at work, firing up your computer while you grabbed a cup of coffee, and sitting down to check your emails only to find yourself staring at a confusing screen. Instead of your usual email inbox screen, you’re looking at one that just seems “off.” After paying attention for a few seconds, you realize you’re somehow logged into a complete stranger’s email account.

Now imagine that the complete stranger is the Prime Minister, or a top military official, or the CEO of a major tech manufacturing company. The emails in the inbox contain communications about top secret missions or proprietary details of un-launched new products. It might be tempting to mine through the emails for a few minutes, but more than likely you’d hunch your shoulders and expect law enforcement to kick in your office door and haul you away for cybercrimes.

A not-too-far-off scenario of this kind happened to a BBC reporter who innocently logged into a shared Huddle account to get to work one day, only to find themselves logged into a highly-sensitive KPMG auditing and tax firm accountinstead. Huddle says this glitch has only happened a handful of times, something to basically brush aside considering how many logins a day take place.


Flaw in the office collaboration tool Huddle discovered by BBC journalist.

Wreak havoc
But it only takes one unauthorized login to wreak havoc. Even if that person doesn’t meddle with files belonging to the NHS Huddle account or any of the other government accounts, the confidence that users can have in the product begins to wane. At the same time, every announcement of a security flaw is another open door to hackers looking to replicate it.

Interestingly, following the inadvertent login by the reporter, someone managed to access the BBC’s Huddle account and view their shared documents. Depending on the type of news projects and the research involved, that can literally result in life or death backlash against reporters who’ve been working on a breaking story. This means that the flaw–which provides the same two-factor authentication to two different users if they login at nearly the same exact moment–is not quite the small matter that Huddle may believe.
 

grumpy_joe

Level 1
Verified
Oct 18, 2017
38
Theoretically somebody could write a bot with thousand of accounts constantly logging in hopes of causing this issue to occur. Don't know about you guys but I lost all the trust to that service even though I never heard of it before.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top