A security researcher discovered that a security weakness on the Florida Department of Revenue website exposed the bank account and Social Security numbers of at least hundreds of taxpayers.
By changing the portion of the website address that contains the taxpayers’ application number, Kamran Mohsin claimed the security hole—now fixed—allowed him and anyone else who was logged in to the state’s business tax registration website to access, modify, and delete the personal information of business owners whose information is on file with the state’s tax authority.
IDOR Exposes Tax Data
According to Mohsin, application numbers are consecutive, making it possible for anyone to compile data on taxpayers by simply increasing the application number by one digit. The government did not contest Mohsin’s claim that there were more than 713,000 applications in the system when contacted for comment.
A server vulnerability known as an “insecure direct object reference” (IDOR) exposes files or data stored there since there are insufficient or no security safeguards in place.
It is comparable to having a key that opens your mailbox as well as every other mailbox in your entire area. In comparison to other issues, IDORs have the advantage of frequently being promptly resolved at the server level.
Screenshots of the website issue that Mohsin shared with TechCrunch showed examples of names, residential and commercial addresses, bank account and routing numbers, Social Security numbers, and other special tax identifiers used for filing paperwork with the state and federal governments.
Scammers and cybercriminals frequently target tax identifiers, such as Social Security numbers, in order to file false tax returns and steal tax refunds, which costs taxpayers billions of dollars annually.
READ MORE: Ex-SpaceX Engineer Claims Elon Musk’s Company Told Him to ‘Retire or Die’
Florida Department of Revenue Website Fails
On October 27, Mohsin emailed the Florida Department of Revenue, who gave him an email address to use to report the vulnerability. When he did, the problem was quickly remedied, but he claimed he hasn’t heard from the department since.
When contacted for a response, the Florida Department of Revenue informed TechCrunch that the vulnerability had been repaired four days after Mohsin had reported it and that two unnamed security firms had certified the website as secure.
In an email, spokesman Bethany Wester stated that “the vulnerability permitted the external individual to examine registration data given by taxpayers, including 417 registrations that contained confidential information.”
“Within two days, the Department made a phone call to each affected business, and within four days, it had been in touch with every affected taxpayer either by phone or in writing. Each impacted taxpayer has also been given a free year of credit monitoring by the department.”
When questioned, the department stated that “no sign of exploitation prior to this breach” had been found, however, it was unclear if the agency had the technological tools, such as logs, to identify whether there had been any earlier exploitation or data exfiltration.
READ MORE: China Slowly Backing Away from Harsh COVID-19 Rules
