News

UK-based Pakistani Security Expert Exposed A US Tax Website Bug; Saved Personal Information Of 713,000 Taxpayers From Potential Breach

UK-based Pakistani Researcher Kamran Mohsin saved 713,000 American taxpayers from a potential exploiting threat of their personal information including banking details, addresses, and income statements. What happened was that Florida’s Department of Revenue website had a flaw that exposed hundreds of filers’ bank accounts and Social Security numbers. 

People with some cyber security knowledge could log in to the state business tax registration website and could see, modify and even delete personal data just by modifying the web address pointing to a taxpayer’s application number — you just needed to change the digits in the link.

Bethany Webster, Florida’s Department of Revenue representative said that the government fixed the bug and the potential threat within a few days of the report and that two unnamed firms have deemed the site secure. She added there was “no sign” attackers abused the flaw, but didn’t say how officials might have spotted any misuse. 

“The vulnerability allowed the external individual to view registration data submitted by taxpayers, including 417 registrations that contained confidential information. Within a two-day timeframe, the Department attempted to contact each affected business by phone and contacted all affected taxpayers by phone or in writing within four days. The Department has also offered one year of complimentary credit monitoring to each affected taxpayer.”

The actual problem that the Department’s site had is known as an insecure direct object reference, or IDOR, a class of vulnerability that exposes files or data stored on a server because of weak or no security controls in place. Insecure direct object references (IDOR) are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly. Many access control implementation mistakes can lead to access controls being circumvented. Mohsin said regarding all these incidents:

“It’s essential to have a well-developed data security policy in place to safeguard an organization’s most sensitive data. This tactic will make it easier to ascertain the data ownership, provenance, degree of sensitivity, potential applications, and other details. For this, implementing a cybersecurity framework and adopting the policies and cybersecurity strategy can reduce the attack surface.”

There were no signs or reports of any kind of misuse of the information and it seems like Kamran Mohsin was the first one to find out about the bug in the site. Kamran reported the bug to Florida’s Department of Revenue on 27 October and as soon as he reported the vulnerability, the department was efficient enough to deal with it as soon as possible. 

“It should be noted that IT teams are not the ones responsible for maintaining cybersecurity within an organization, but all the employees should be trained on cyber threats and how to tackle them as most data breaches are caused by human lack of awareness or negligence,” Mohsin added.

Read More:

Recent Audio Leaks Forces Government to Rethink Cybersecurity

 

Sponsored
Muhammad Muneeb

Muneeb is a full-time News/Tech writer at TechJuice.pk. He is a passionate follower of the IT progression of Pakistan and the world and wants to educate the people of Pakistan about tech affairs. His favorite part about being a tech writer is tech reviews and giving an honest and clear verdict to his readers. Contact Muneeb on his LinkedIn at: https://www.linkedin.com/in/muneeb-ur-rehman-b5ab45240/

Share
Published by
Muhammad Muneeb

Recent Posts

PTV Faces Criticism Over Misleading Chemotherapy Statements

ISLAMABAD: On Pakistan Television (PTV), medical experts raised serious concerns over false information on chemotherapy…

26 mins ago

OpenAI Rolls Out Advanced Voice Mode for macOS ChatGPT App

OpenAI has introduced Advanced Voice Mode to ChatGPT's desktop applications for macOS apps, enabling users…

37 mins ago

Garena Free Fire India Launch Rumors: What Fans Need to Know

Reports suggest that Garena Free Fire is set to make a much-anticipated return to India.…

19 hours ago

Albania Bans TikTok for One Year: Here’s the Reason!

The Albanian government has announced a ban on the social media platform TikTok for a…

22 hours ago

Google Pixel 9 Pro vs. 8 Pro: Biggest Upgrades Compared

The launch of Google’s latest Pixel lineup brings an exciting chance to compare the new…

1 day ago

Azad Kashmir to Host Pakistan’s First Women-Centric Software Technology Park

ISLAMABAD: In February next year, Pakistan is set to launch its first women-focused software technology…

1 day ago