The HMRC has plugged two serious security flaws in its tax filing service that allowed an ethical hacker to access sensitive financial information belonging to citizens.
Security flaws in the UK’s tax filing service allowed hackers to view or modify a person’s tax records and harvest his financial information.
In a detailed blog published on Friday, a security researcher going by the name Zemnmez has uncovered not only two major security vulnerabilities in the official tax filing website but also revealed how hard it is for a researcher to report security flaws to the HMRC and to get such flaws patched.
Zemnmez described in detail two very neat methods that hackers may employ to harvest sensitive financial details of UK citizens from the HMRC’s tax filing website.
While one of the flaws made it possible for a hacker to use the HMRC website as a “forwarding service” to send users to any other malicious website, the other flaw enabled hackers to harvest detailed tax filing details and other financial information belonging to UK citizens.
In the first case, Zemnmez exploited a flaw in the redirect parameter where a user is usually redirected to a different page once he fills in his login details on the HMRC website. By using an HTTP simple syntax in the redirect URL, Zemnmez was able to convince the software that the redirect URL was a related one and not a malicious one set up by hackers.
This way, he said, hackers could set up a site that looked like the HMRC service and gets citizens to fill in their taxes and unknowingly share their sensitive information in the process.
Considering that both security flaws needed immediate fixing, Zemnmez decided to contact the HMRC’s security team to report them. After initial emails to email@example.com returned since there was no such email address, he decided to contact the government on Twitter and find out where to report security flaws. Further communications with the government and the NCSC didn’t bring up any results until someone suggested him to call up the Press Office to report issues.
According to the NCSC’s vulnerability disclosure policy, the organisation will work with ‘an invited group of security practitioners’ to identify and resolve vulnerabilities across public-facing systems in the public sector. What this means is that any researcher who is not invited by the government won’t be able to effectively communicate and let the government know about security flaws that he discovered.
“I understand the significant difficulties involved in these programmes. If a programme were opened to the public to disclose issues without very significant and robust preparation, it would quickly become totally overwhelmed by the volume of reports, both valid and invalid,” Zemnmez told the BBC.
After Zemnmez was finally able to let the HMRC know about the security flaws, the department fixed such flaws and is taking steps to improve ways in which researchers and ethical hackers can get in touch with it to report security flaws.
“HMRC has addressed the vulnerabilities mentioned in this article and we undertake regular testing of our systems. HMRC takes the protection of customer data very seriously and invests heavily to secure our services,” said an HMRC spokesman.