Researcher finds 'serious' security flaws on HMRC's UK tax site


A security researcher discovered two serious flaws on the HMRC tax website which could have allowed attackers to view, or even edit, tax records. But the researcher, Zemnmez, was astonished not only by the flaws, but also at how hard it was to report them.

In a lengthy blog post entitled "how to hack the uk tax system, i guess," Zemnmez gives details of his findings. He also reveals that it took no fewer than 57 days to successfully report the issues so they could be looked into.

Zemnmez is not new to finding bugs and security issues on websites, and his report makes for interesting reading. He found that the login page for the HMRC tax site uses a simple redirect that can be easily exploited. It meant that a malicious URL could use the tax site login page to send login information to another site.

If the site to which victims were forwarded was constructed carefully enough, it could be used to extract further valuable information from victims.

The second vulnerability was more serious. The device signature service used by HMRC,, gathers a massive amount of information about users' computers as a means of identification. The file used to transmit this information was disguised slightly using Javascript, and with a little more work it would be possible to access someone else's tax information. It's not the sort of thing a layman would be able to achieve, but as Zemnmez's description makes clear, it's not exactly rocket science either.

The story starts in the middle of April and sees Zemnmez contacting endless government departments to try to report his worrying findings. It wasn't until the middle of June that the problem was fixed, and only after this that he thought it was reasonable to disclose his findings.

In response, HMRC has said that it has fixed the problems and is also looking for ways to make it easier for people to report security issues in the future.

You can read through the full report in Zemnmez's post on Medium.

Image credit: / Shutterstock

© 1998-2018 BetaNews, Inc. All Rights Reserved. Privacy Policy.