News

UK-based Pakistani Security Expert Exposed A US Tax Website Bug; Saved Personal Information Of 713,000 Taxpayers From Potential Breach

UK-based Pakistani Researcher Kamran Mohsin saved 713,000 American taxpayers from a potential exploiting threat of their personal information including banking details, addresses, and income statements. What happened was that Florida’s Department of Revenue website had a flaw that exposed hundreds of filers’ bank accounts and Social Security numbers. 

People with some cyber security knowledge could log in to the state business tax registration website and could see, modify and even delete personal data just by modifying the web address pointing to a taxpayer’s application number — you just needed to change the digits in the link.

Bethany Webster, Florida’s Department of Revenue representative said that the government fixed the bug and the potential threat within a few days of the report and that two unnamed firms have deemed the site secure. She added there was “no sign” attackers abused the flaw, but didn’t say how officials might have spotted any misuse. 

“The vulnerability allowed the external individual to view registration data submitted by taxpayers, including 417 registrations that contained confidential information. Within a two-day timeframe, the Department attempted to contact each affected business by phone and contacted all affected taxpayers by phone or in writing within four days. The Department has also offered one year of complimentary credit monitoring to each affected taxpayer.”

The actual problem that the Department’s site had is known as an insecure direct object reference, or IDOR, a class of vulnerability that exposes files or data stored on a server because of weak or no security controls in place. Insecure direct object references (IDOR) are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly. Many access control implementation mistakes can lead to access controls being circumvented. Mohsin said regarding all these incidents:

“It’s essential to have a well-developed data security policy in place to safeguard an organization’s most sensitive data. This tactic will make it easier to ascertain the data ownership, provenance, degree of sensitivity, potential applications, and other details. For this, implementing a cybersecurity framework and adopting the policies and cybersecurity strategy can reduce the attack surface.”

There were no signs or reports of any kind of misuse of the information and it seems like Kamran Mohsin was the first one to find out about the bug in the site. Kamran reported the bug to Florida’s Department of Revenue on 27 October and as soon as he reported the vulnerability, the department was efficient enough to deal with it as soon as possible. 

“It should be noted that IT teams are not the ones responsible for maintaining cybersecurity within an organization, but all the employees should be trained on cyber threats and how to tackle them as most data breaches are caused by human lack of awareness or negligence,” Mohsin added.

Read More:

Recent Audio Leaks Forces Government to Rethink Cybersecurity

 

Sponsored
Muhammad Muneeb

Muneeb is a full-time News/Tech writer at TechJuice.pk. He is a passionate follower of the IT progression of Pakistan and the world and wants to educate the people of Pakistan about tech affairs. His favorite part about being a tech writer is tech reviews and giving an honest and clear verdict to his readers. Contact Muneeb on his LinkedIn at: https://www.linkedin.com/in/muneeb-ur-rehman-b5ab45240/

Leave a Comment
Share
Published by
Muhammad Muneeb

Recent Posts

PSEB Opens Bidding for Nationwide e-Rozgar Centers

The Pakistan Software Export Board (PSEB) has launched a nationwide program to encourage IT startups…

4 mins ago

Google Play Services Bug Disrupts Access to Apps for Pixel Users: Here’s How to Fix It

A significant issue with Google Play Services has left many Pixel users unable to access…

8 mins ago

WhatsApp Beta Partners with Google for Innovative Image Search Feature

When it comes to Android messaging apps, WhatsApp stands out as one of the best.…

46 mins ago

Farrukh Sabzwari Appointed as CEO of PSX, Set to Serve for Three Years

Farrukh H. Sabzwari has been appointed Chief Executive Officer (CEO) of Pakistan Stock Exchange Company…

2 hours ago

250 Government Schools to Be Run by Private Sector

RAWALPINDI: The chairman of the Punjab Education Foundation, Malik Shoaib Awan, stated on Monday that…

3 hours ago

Pakistan Launches First National Sex Offenders Register to Combat Sexual Violence

Pakistan has taken a significant step towards addressing sexual violence and abuse with the introduction…

3 hours ago