An internet row broke out on Friday around the web-based accounting application KashFlow. John Stokdyk reports.
Allegations of security holes, a fog of technical confusion, name-calling and a wide-ranging examination of the issues surrounding software as a service - the great KashFlow API fracas has it all.
At the centre of the controversy is AccMan blogger Dennis Howlett. Last Friday, Howlett reported his shock at learning from CloudAve about a third-party security add-on for KashFlow called KashGuard.
“I had to read it several times, rub my eyes, swig a cup of tea and then lie down,” Howlett wrote in a post entitled KashFlow’s security nightmare.
The source of his incredulity was the discovery that KashFlow only had a single level of user security, and no capability to set access controls for other users. KashGuard plugs into KashFlow’s application programming interface (API) and you the ability to set permissions and restrictions within KashFlow itself.
In Howlett’s view, the combination of KashFlow’s single security level and open API opens the door for third parties to take control of the program. He raised some worrying situations the blanket log-in could permit:
- A accountanting junior checking adjustments made by their boss would be able to change the data, rather than just review it.
- A user experiences a problem when using Kashflow and KashGuard - where would they point the finger?
- A temporary user with access to the system would be able to change bank details (and then change them back a day or so later): “Who would notice?
- A hacker with a keylogging program could get between Kashflow and KashGuard and gain control of the application at the detailed level.
Howlett also speculated (in somewhat more lurid terms) that by allowing a third party to have this level of access to its core application would undermine KashFlow’s business model.
Howlett took the matter up directly with KashFlow founder Duane Jackson, who initially replied that Howlett was missing the point.
“We’ve not ‘created’ anything,” Jackson commented. “Certainly not a ‘security hole’... [KashGuard developer] Atlas have no special access to KashFlow that others don’t have. For a KashFlow customer to use KashGuard they need to give the KashGuard app their login credentials, enable the API within their KashFlow account and permit the KashGuard servers to access their account via an encrypted session.”
KashFlow’s decision not to add sub-accounts with definable permissions was based on the low level of demand for such a facility among its target users, who were generally small one-man bands, he added. Jackson accepted Howlett’s suggestion that KashFlow was limiting its market, but responded: “That’s a commercial decision on my part to have our team working on other elements of the system that I feel will be of more benefit to the business and more desirable for our customers.”
Howlett, Jackson and CloudAve editor Ben Kepes debated the implications of the situation extensively with AccMan readers including AccountingWEB.co.uk contributor Richard Murphy, CODA’s David Turner and Sunir Shah, “chief handshaker” of online accounts developer Freshbooks.