by
December 6, 2022
The Social Security and bank account data of hundreds of taxpayers were disclosed due to a security vulnerability in Florida's Department of Revenue website.
Security researcher Kamran Mohsin discovered a security vulnerability on Florida's Department of Revenue's website. The first information about the incident was issued in a report published by TechCrunch on Dec 2nd, 2022. The report said that the vulnerability exposed sensitive data belonging to hundreds of taxpayers, such as bank account numbers and social security cards.
The security researcher who discovered the vulnerability tried to manipulate the parameters in the URL that contains the taxpayers' application number. As these application numbers were sequential, the researcher could enumerate taxpayer information by incrementing the application number by a single digit.
For example: imagine the url is /applications/{application-id}. In this case {application-id} is sequential meaning they could be 200, 201, 202 and so on. The attacker can access the application details of any tax payer by simply incrementing the {application-id}. Attacker is able to access the information because the url doesn’t have a proper authorization mechanism set.
The vulnerability is known as Insecure Object Direct Reference (IDOR), a vulnerability type that allows unauthorized access to the user's sensitive data by manipulating user/object IDs.
By exploiting this vulnerability, the researcher discovered over 713,000 applications in the Department's system. He further claimed that on October 27th, 2022, he alerted the Florida Department of Revenue, and the flaw was fixed within four days. Despite the bug being resolved, he said he had not been contacted by the Department since.
Anyone who logged in to the state's business tax registration website could access, modify, and delete the personal data of business owners whose information is on file with the state's tax authority.
The vulnerability allowed the external individual to view registration data submitted by taxpayers, including 417 registrations that contained confidential information. Within a two-day timeframe, the Department attempted to contact each affected business by phone and contacted all affected taxpayers by phone or in writing within four days. The Department has also offered each affected taxpayer one year of complimentary credit monitoring.
Source: Techcrunch