Categories: Tech NewsTechCrunch+

Florida state tax website bug exposed filers’ data

A security flaw on the Florida Department of Revenue website exposed at least hundreds of taxpayers’ Social Security numbers and bank account numbers, a security researcher found.

Kamran Mohsin said the security flaw — now fixed — allowed him, or anyone else who was logged in to the state’s business tax registration website, to access, modify and delete the personal data of business owners whose information is on file with the state’s tax authority by modifying the part of the web address that contains the taxpayers’ application number.

Mohsin said that application numbers are sequential, allowing anyone to enumerate taxpayers’ information by incrementing the application number by a single digit. Mohsin said there were more than 713,000 applications in the system, which the department did not dispute when reached for comment.

The flaw is known as an insecure direct object reference, or IDOR, a class of vulnerability that exposes files or data stored on a server because of weak or no security controls in place. It’s like having a key to unlock your mailbox, but that key can also unlock every other mailbox in your entire neighborhood. IDORs have an advantage over other bugs in that they can often be fixed quickly at the server level.

Mohsin provided TechCrunch with screenshots of the website flaw, which included samples of names, home and business addresses, bank account and routing numbers, Social Security numbers, and other unique tax identifiers used for filing paperwork with the state and federal government.

Tax identifiers, like Social Security numbers, are often targeted by scammers and cybercriminals for filing fraudulent tax returns aimed at stealing tax refunds, costing taxpayers billions of dollars every year.

Mohsin contacted the Florida Department of Revenue on October 27 and was provided an email address to report the vulnerability. He did, and the flaw was fixed soon after, but he said he has not heard back from the department since.

When reached for comment, the Florida Department of Revenue told TechCrunch that the flaw was fixed within four days of Mohsin’s report and that two security companies, which the department did not name, say the website is now secure.

“The vulnerability allowed the external individual to view registration data submitted by taxpayers, including 417 registrations that contained confidential information,” said spokesperson Bethany Wester in an email. “Within a two-day timeframe, the Department attempted to contact each affected business by phone and had contacted all affected taxpayers by phone or in writing within four days. The Department has also offered one year of complimentary credit monitoring to each affected taxpayer.”

When asked, the department said that it has identified “no sign of exploitation prior to this breach,” but did not say if it had the technical means, such as logs, to determine if there was evidence of prior exploitation or data exfiltration.

Read more on TechCrunch:

LastPass says it was breached — again
Amazon-owned Wickr is shutting down its free encrypted messaging app
A simple Android lock screen bypass bug landed a researcher $70,000
Spyware vendor Variston exploited Chrome, Firefox and Windows zero-days

Florida state tax website bug exposed filers’ data by Zack Whittaker originally published on TechCrunch

Recent Posts

Unlocking the Secrets of JSON.stringify(): More Than Meets the Eye

JSON (JavaScript Object Notation) is a lightweight data-interchange format widely used in web development. At…

2 months ago

How to Handle AJAX GET/POST Requests in WordPress

AJAX (Asynchronous JavaScript and XML) is a powerful technique used in modern web development that…

3 months ago

Page Speed Optimization: Post-Optimization Dos and Don’ts

Introduction After successfully optimizing your website for speed, it's essential to maintain and build upon…

3 months ago

Ultimate Guide to Securing WordPress Folders: Protect Your Site from Unauthorized Access

Securing your WordPress folders is crucial to safeguarding your website from unauthorized access and potential…

4 months ago

HTML CSS PHP File Upload With Circle Progress Bar

Creating a file upload feature with a circular progress bar involves multiple steps. You'll need…

5 months ago

Using WP Rocket with AWS CloudFront CDN

Integrating WP Rocket with AWS CloudFront CDN helps to optimize and deliver your website content…

5 months ago