Security flaws in HMRC website could let hackers steal citizens’ tax filing details

Security flaws in HMRC website could let hackers steal citizens’ tax filing details

Chinese domains behind a third of HMRC phishing scams, finds study

The HMRC has plugged two serious security flaws in its tax filing service that allowed an ethical hacker to access sensitive financial information belonging to citizens.

Security flaws in the UK’s tax filing service allowed hackers to view or modify a person’s tax records and harvest his financial information.

In a detailed blog published on Friday, a security researcher going by the name Zemnmez has uncovered not only two major security vulnerabilities in the official tax filing website but also revealed how hard it is for a researcher to report security flaws to the HMRC and to get such flaws patched.

READ MORE: Consumers more wary of e-commerce sites than HMRC scams

Zemnmez described in detail two very neat methods that hackers may employ to harvest sensitive financial details of UK citizens from the HMRC’s tax filing website.

While one of the flaws made it possible for a hacker to use the HMRC website as a “forwarding service” to send users to any other malicious website, the other flaw enabled hackers to harvest detailed tax filing details and other financial information belonging to UK citizens.

In the first case, Zemnmez exploited a flaw in the redirect parameter where a user is usually redirected to a different page once he fills in his login details on the HMRC website. By using an HTTP simple syntax in the redirect URL, Zemnmez was able to convince the software that the redirect URL was a related one and not a malicious one set up by hackers.

This way, he said, hackers could set up a site that looked like the HMRC service and gets citizens to fill in their taxes and unknowingly share their sensitive information in the process.

READ MORE: Ransomware attack hits NHS Lanarkshire, disrupts operations

The second, and more worrying, exploit involved getting the browser to be directed to a URL starting with ‘javascript:’ so that the browser could run a hacker’s URL rather than HMRC’s own URL. THis way, a hacker could view and even edit tax information belonging to citizens.

Considering that both security flaws needed immediate fixing, Zemnmez decided to contact the HMRC’s security team to report them. After initial emails to returned since there was no such email address, he decided to contact the government on Twitter and find out where to report security flaws. Further communications with the government and the NCSC didn’t bring up any results until someone suggested him to call up the Press Office to report issues.

According to the NCSC’s vulnerability disclosure policy, the organisation will work with ‘an invited group of security practitioners’ to identify and resolve vulnerabilities across public-facing systems in the public sector. What this means is that any researcher who is not invited by the government won’t be able to effectively communicate and let the government know about security flaws that he discovered.

READ MORE: Stolen UK data costs nearly double the price of similar US details on the dark web

“I understand the significant difficulties involved in these programmes. If a programme were opened to the public to disclose issues without very significant and robust preparation, it would quickly become totally overwhelmed by the volume of reports, both valid and invalid,” Zemnmez told the BBC.

After Zemnmez was finally able to let the HMRC know about the security flaws, the department fixed such flaws and is taking steps to improve ways in which researchers and ethical hackers can get in touch with it to report security flaws.

“HMRC has addressed the vulnerabilities mentioned in this article and we undertake regular testing of our systems. HMRC takes the protection of customer data very seriously and invests heavily to secure our services,” said an HMRC spokesman.

Copyright Lyonsdown Limited 2021

Top Articles

RockYou2021 data leak: 8.4 billion passwords compromised

A report shows that 100GB of data which includes 8.4 billion passwords have been recently leaked on the internet, people are being encouraged to secure their accounts.

Hackers Breach Electronic Arts & Steal Game Code

Electronic Arts, one of the world's biggest video game publishers including games such as FIFA, Madden, Sims and Medal of Honor, are the latest company to be hacked.

JBS Foods paid £7.7m in ransom to REvil ransomware gang

JBS Foods, the world’s largest processor of beef and poultry products, has admitted to paying a ransom of $11 million to cyber criminals, a week after it announced that operations…

Related Articles

[s2Member-Login login_redirect=”” /]