A security flaw on the Florida Department of Revenue website has exposed at least hundreds of taxpayer social security numbers and bank account numbers, a security researcher has discovered.
Kamran Mohsin said the security flaw – now fixed – allowed him, or anyone else logged into the state’s tax registry website, to access the personal information of business owners whose information is on file with the state’s tax office , and remove it by changing the part of the web address that contains the taxpayer’s application number.
Mohsin said application numbers are sequential, allowing anyone to enumerate the taxpayer’s information by incrementing the application number by one digit. Mohsin said there were more than 713,000 applications in the system, which the department did not dispute when reached for comment.
The flaw is known as an insecure direct object reference, or IDOR, a security class that exposes files or data on a server due to weak or missing security controls. It’s like having a key to open your mailbox, but that key can also unlock every other mailbox in your entire neighborhood. IDORs have an advantage over other bugs in that they can often be quickly fixed at the server level.
Mohsin provided businessroundups.org with screenshots of the website error, which included examples of names, home and business addresses, bank account and routing numbers, Social Security numbers and other unique tax identifiers used for filing state and federal government paperwork.
Tax identifiers, such as social security numbers, are often targeted by scammers and cybercriminals for fraudulent tax filing purposes aimed at stealing tax refunds at a cost to taxpayers billions of dollars every year.
Mohsin contacted the Florida Department of Revenue on October 27 and was provided an email address to report the vulnerability. He did, and the error was rectified soon after, but he said he had not heard from the department since.
When reached for comment, the Florida Department of Revenue told businessroundups.org that the flaw was fixed within four days of Mohsin’s report and that two security firms, which the department did not name, say the website is now secure.
“The vulnerability allowed the outside individual to view registration data submitted by taxpayers, including 417 registrations that contained confidential information,” spokesperson Bethany Wester said in an email. “Within the space of two days, the Department attempted to contact each affected company by telephone and had contacted all affected taxpayers by telephone or letter within four days. The Department also offered a year of free credit monitoring to any affected taxpayer.
When asked, the department said it had identified “no sign of exploitation prior to this breach,” but did not say whether it had the technical resources, such as logs, to determine whether there was evidence of previous exploitation or data exfiltration.
Read more on businessroundups.org:
