"Florida State Tax Website Bug Exposed Filers' Data"

A researcher discovered that a security flaw on the Florida Department of Revenue website exposed the bank account and Social Security numbers of at least hundreds of taxpayers. By changing the portion of the website address that contains the taxpayers' application number, Kamran Mohsin said the security flaw, which has since been fixed, allowed him or anyone else who was logged in to the state's business tax registration website to access, modify, and delete the personal data of business owners whose information is on file with the state's tax authority. According to Mohsin, application numbers are sequential, making it possible for anyone to compile data on taxpayers by simply increasing the application number by one digit. There were over 713,000 applications in the system. A server vulnerability called Insecure Direct Object Reference (IDOR) exposes files or data stored on the server because there are insufficient or no security controls in place. It is similar to having a key that opens a mailbox and every other mailbox in a neighborhood. In comparison to other bugs, IDOR vulnerabilities have the advantage of typically being quickly fixed at the server level. Mohsin provided screenshots of the website bug, showing examples of names, residential and commercial addresses, bank account and routing numbers, Social Security numbers, and other special tax identifiers used for submitting paperwork to the state and federal governments. Scammers and cybercriminals often target tax identifiers, such as Social Security numbers, to file false tax returns and steal tax refunds, costing taxpayers billions of dollars annually. On October 27, Mohsin contacted the Florida Department of Revenue, which gave him an email address to report the vulnerability. Soon after the flaw was reported, it was fixed. According to the Florida Department of Revenue, the vulnerability was fixed four days after Mohsin reported it, and two unnamed security firms have verified the website's security. This article continues to discuss the exposure of taxpayers' data by the Florida Department of Revenue website.

TechCrunch reports "Florida State Tax Website Bug Exposed Filers' Data"