A security flaw in the Florida Department of Revenue's website may have exposed personal information for over 700,000 taxpayers, according to the man who discovered it.
Kamran Mohsin, who lives in the United Kingdom, uncovered the vulnerability while helping a friend register for a business license in Florida. Mohsin has worked in cybersecurity for over five years and focuses on finding web and mobile flaws like this one.
The flaw on Florida's site, now fixed, allowed anyone who was logged into the business tax registration website to access, modify, or delete the personal data of business owners. That data includes full names, home and business addresses, Social Security numbers, and bank account numbers.
“The reported vulnerability is a subcategory of access control which should be explained as who, or what, can perform actions or access resources,” Mohsin told Tax Notes in a December 7 email. “Access control is the most common vulnerability that could be probably found in an application.”
Originally reported by TechCrunch, the flaw is known as an insecure direct object reference, by which an authorized user (with access limited to their own information) can sidestep security and access data to which they were not privy.
“Access control vulnerability is always a significant security flaw which the adversaries use in order to bypass the access controls or privileges set for individual accounts in an application,” Mohsin said. “The vulnerability enables them to gain unauthorized access to the enterprise resources or steal sensitive information of other users registered into the application. It should be noted that by exploiting the vulnerability, adversaries could act as legitimate users and can tamper with the available data.”
Mohsin said he notified the DOR and shared documentation to prove what he saw. He said the department never responded to him, but that within a few days, the issue had been fixed.
“The Department verified the vulnerability and immediately removed the application from external access,” DOR spokeswoman Bethany Wester said in a statement. “The Department corrected the vulnerability in the registration application within 24 hours, and two external data security companies have verified that the application is now secure.”
Wester said that 417 registrations contained “confidential information,” and all of them were contacted by phone or by writing within four days. The DOR also offered a year of complimentary credit monitoring to each affected taxpayer, she added.
“At this time, the 417 affected taxpayers contacted have not informed the Department of any signs of information exploitation," Wester said. “No sign of exploitation prior to this breach was identified.”
“The Department’s review of the information the individual [Mohsin] provided regarding vulnerabilities in our system is ongoing and has assisted the Department in assessing other potential vulnerabilities,” Wester continued. “The Department acknowledges that the confidentiality of business and personal information is a public trust and treats any threat to the security of that information with immediate and utmost concern.”
“It's essential to have a well-developed data security policy in place to safeguard an organization's most sensitive data,” Mohsin said. “This tactic will make it easier to ascertain the data ownership, provenance, degree of sensitivity, potential applications, and other details. For this, implementing a cybersecurity framework and adopting the policies and cybersecurity strategy can reduce the attack surface.”
“It should be noted that IT teams are not the ones responsible for maintaining cybersecurity within an organization, but all the employees should be trained on cyber threats and how to tackle them as most data breaches are caused by human lack of awareness or negligence,” Mohsin added.