A researcher spotted a bug in Florida’s state revenue website, which allowed anyone with log-in access to view, modify and even delete others’ records.
Though the department fixed this bug after being informed, it somehow exposed all the bank account and social security numbers of over 713,000 applications. Informing all the taxpayers about the incident, the department is offering a year of free credit monitoring to them.
Exposing Taxpayers Data
As of writing, the website has over 713,000 applications filed by taxpayers, with details like numbers and bank details as exposed data. The flaw is said to be insecure direct object references and is relatively easy to fix.
And it was patched by Florida’s Department of Revenue four days after being informed by Mohsin on October 27th. While found, it led anyone with log-in access to see, modify, and even delete the personal data of other taxpayers by simply modifying the web address – pointing to a taxpayer’s application number.
Though the flaw is an easy-to-fix one, it did have a great impact, considering how easy it’s to play with. All the threat actor needs to do is just change the digits in the URL – to that of the target’s application number. Well, no such illegal incident has taken place till now, says the Department representative Bethany Wester.
Further, she said two unnamed firms have deemed the site secure, and they contacted every affected taxpayer by phone or writing within four days of incident acknowledgment. Though they’re sure that no flaw abuse has taken place, they’re still offering a year of free credit monitoring to all taxpayers.