UK-based Pakistani Researcher Kamran Mohsin saved 713,000 American taxpayers from a potential exploiting threat of their personal information including banking details, addresses, and income statements. What happened was that Florida’s Department of Revenue website had a flaw that exposed hundreds of filers’ bank accounts and Social Security numbers.
People with some cyber security knowledge could log in to the state business tax registration website and could see, modify and even delete personal data just by modifying the web address pointing to a taxpayer’s application number — you just needed to change the digits in the link.
Bethany Webster, Florida’s Department of Revenue representative said that the government fixed the bug and the potential threat within a few days of the report and that two unnamed firms have deemed the site secure. She added there was “no sign” attackers abused the flaw, but didn’t say how officials might have spotted any misuse.
“The vulnerability allowed the external individual to view registration data submitted by taxpayers, including 417 registrations that contained confidential information. Within a two-day timeframe, the Department attempted to contact each affected business by phone and contacted all affected taxpayers by phone or in writing within four days. The Department has also offered one year of complimentary credit monitoring to each affected taxpayer.”
The actual problem that the Department’s site had is known as an insecure direct object reference, or IDOR, a class of vulnerability that exposes files or data stored on a server because of weak or no security controls in place. Insecure direct object references (IDOR) are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly. Many access control implementation mistakes can lead to access controls being circumvented. Mohsin said regarding all these incidents:
“It’s essential to have a well-developed data security policy in place to safeguard an organization’s most sensitive data. This tactic will make it easier to ascertain the data ownership, provenance, degree of sensitivity, potential applications, and other details. For this, implementing a cybersecurity framework and adopting the policies and cybersecurity strategy can reduce the attack surface.”
There were no signs or reports of any kind of misuse of the information and it seems like Kamran Mohsin was the first one to find out about the bug in the site. Kamran reported the bug to Florida’s Department of Revenue on 27 October and as soon as he reported the vulnerability, the department was efficient enough to deal with it as soon as possible.
“It should be noted that IT teams are not the ones responsible for maintaining cybersecurity within an organization, but all the employees should be trained on cyber threats and how to tackle them as most data breaches are caused by human lack of awareness or negligence,” Mohsin added.
