Jannah Theme License is not validated, Go to the theme options page to validate the license, You need a single license for each domain name.

Florida State Tax Website Bug Exposed Filer Data TechCrunch

A security breach on the Florida Department of Revenue’s website revealed at least hundreds of taxpayers’ Social Security numbers and bank accounts, a security researcher has found.

Kamran Mohsin said the security flaw – now patched – allowed him or anyone else logged into the state business tax registration website to access, modify and delete the personal data of business owners whose information is registered with the state tax authority by changing the portion of the web address that contains the taxpayer’s application number.

Mohsin said the application numbers are sequential, allowing anyone to list taxpayer information by incrementing the application number by a single digit. Mohsin said there were more than 713,000 applications in the system, which the department did not dispute when contacted for comment.

The flaw is known as Insecure Direct Object Reference, or IDOR, a class of vulnerability that exposes files or data stored on a server due to weak or no security controls in place. . It’s like having a key to unlock your mailbox, but that key can also unlock all the other mailboxes in your neighborhood. IDORs have an advantage over other bugs in that they can often be fixed quickly at the server level.

Mohsin provided TechCrunch with screenshots of the website flaw, which included sample names, home and work addresses, bank account and routing numbers, social security numbers, and others. unique tax identifiers used to file documents with the state and federal government.

Tax IDs, like social security numbers, are often targeted by scammers and cybercriminals to file fraudulent tax returns aimed at stealing tax refunds, costing taxpayers billions of dollars each year.

Mohsin contacted the Florida Department of Revenue on October 27 and received an email address to report the vulnerability. He did, and the flaw was patched shortly after, but he said he hasn’t heard from the department since.

When contacted for comment, the Florida Department of Revenue told TechCrunch that the flaw was patched within four days of Mohsin’s report and that two security companies, which the department did not name, have said the website was now secure.

“The vulnerability allowed the external person to view registration data submitted by taxpayers, including 417 registrations containing confidential information,” spokeswoman Bethany Wester said in an email. “Within two days, the Department attempted to contact each affected business by telephone and contacted all affected taxpayers by telephone or in writing within four days. The Department also offered one year of free credit monitoring to each affected taxpayer. »

When questioned, the department said it identified “no signs of exploitation prior to this breach,” but did not say whether it had the technical means, such as logs, to determine if there was evidence of abuse. prior exploitation or exfiltration of data.

Learn more about TechCrunch:

techcrunch Gt

Not all news on the site expresses the point of view of the site, but we transmit this news automatically and translate it through programmatic technology on the site and not from a human editor.
Back to top button