A security flaw on the Florida Department of Revenue website exposed at least hundreds of taxpayers’ Social Security numbers and bank account numbers, a security researcher found.
Kamran Mohsin said the security flaw — now fixed — allowed him, or anyone else who was logged in to the state’s business tax registration website, to access, modify and delete the personal data of business owners whose information is on file with the state’s tax authority by modifying the part of the web address that contains the taxpayers’ application number.
Mohsin said that application numbers are sequential, allowing anyone to enumerate taxpayers’ information by incrementing the application number by a single digit. Mohsin said there were more than 713,000 applications in the system, which the department did not dispute when reached for comment.
The flaw is known as an insecure direct object reference, or IDOR, a class of vulnerability that exposes files or data stored on a server because of weak or no security controls in place. It’s like having a key to unlock your mailbox, but that key can also unlock every other mailbox in your entire neighborhood. IDORs have an advantage over other bugs in that they can often be fixed quickly at the server level.
Mohsin provided TechCrunch with screenshots of the website flaw, which included samples of names, home and business addresses, bank account and routing numbers, Social Security numbers and other unique tax identifiers used for filing paperwork with the state and federal government.
Tax identifiers, like Social Security numbers, are often targeted by scammers and cybercriminals for filing fraudulent tax returns aimed at stealing tax refunds, costing taxpayers billions of dollars every year.
Mohsin contacted the Florida Department of Revenue on October 27 and was provided an email address to report the vulnerability. He did, and the flaw was fixed soon after, but he said he has not heard back from the department since.
When reached for comment, the Florida Department of Revenue told TechCrunch that the flaw was fixed within four days of Mohsin’s report and that two security companies, which the department did not name, say the website is now secure.
“The vulnerability allowed the external individual to view registration data submitted by taxpayers, including 417 registrations that contained confidential information,” said spokesperson Bethany Wester in an email. “Within a two-day timeframe, the Department attempted to contact each affected business by phone and had contacted all affected taxpayers by phone or in writing within four days. The Department has also offered one year of complimentary credit monitoring to each affected taxpayer.”
When asked, the department said that it has identified “no sign of exploitation prior to this breach,” but did not say if it had the technical means, such as logs, to determine if there was evidence of prior exploitation or data exfiltration.
Read more on TechCrunch: