A few Florida residents may be watching their finances closely after a security breach. Researcher Kamran Mohsin Tells TechCrunchA flaw in Florida’s Department of Revenue website allowed hundreds of filers to see their bank accounts and Social Security numbers. Anyone who logged in to the state business tax registration site could see, modify and even delete personal data just by modifying the web address pointing to a taxpayer’s application number — you just needed to change the digits in the link.
Mohsin stated that there were more than 713,000 applications in Department’s pipeline when the flaw was discovered. Mohsin alerted the Department on October 27th about the flaw.
Bethany Wester, representative for the department, said that the government had fixed the flaw within four working days of receiving the report and that two unnamed businesses have declared the site safe. While she stated that there was “no indication” that the flaw was exploited by attackers, she didn’t give any details about how officials might have discovered it. After learning of the problem, the agency contacted all taxpayers affected by phone or in writing and provided a year’s credit monitoring for free.
Bugs such as these, which are known as insecure indirect object references (IDOR), can be easily fixed. This damage may also be less than other tax-related violations, such as a Healthcare.gov intrusionIn 2018, 75,000 people were compromised. However, the incident underscores the potential harm from weak security — even a small-scale exposure like this could be used to commit tax fraud and steal refunds.
Engadget recommends only products that have been reviewed by our editorial staff. This is independent from our parent company. Affiliate links may be included in some of our stories. We may be compensated if you purchase something using one of these affiliate links. All prices correct as of the date of publication.
