Researcher finds 'serious' security flaws on HMRC's UK tax site

By Sofia Elizabella Wyciślik-Wilson
Published 7 years ago

security-breach-laptop

A security researcher discovered two serious flaws on the HMRC tax website which could have allowed attackers to view, or even edit, tax records. But the researcher, Zemnmez, was astonished not only by the flaws, but also at how hard it was to report them.

In a lengthy blog post entitled "how to hack the uk tax system, i guess," Zemnmez gives details of his findings. He also reveals that it took no fewer than 57 days to successfully report the issues so they could be looked into.

Zemnmez is not new to finding bugs and security issues on websites, and his report makes for interesting reading. He found that the login page for the HMRC tax site uses a simple redirect that can be easily exploited. It meant that a malicious URL could use the tax site login page to send login information to another site.

If the site to which victims were forwarded was constructed carefully enough, it could be used to extract further valuable information from victims.

The second vulnerability was more serious. The device signature service used by HMRC, augur.io, gathers a massive amount of information about users' computers as a means of identification. The file used to transmit this information was disguised slightly using Javascript, and with a little more work it would be possible to access someone else's tax information. It's not the sort of thing a layman would be able to achieve, but as Zemnmez's description makes clear, it's not exactly rocket science either.

The story starts in the middle of April and sees Zemnmez contacting endless government departments to try to report his worrying findings. It wasn't until the middle of June that the problem was fixed, and only after this that he thought it was reasonable to disclose his findings.

In response, HMRC has said that it has fixed the problems and is also looking for ways to make it easier for people to report security issues in the future.

Researcher finds 'serious' security flaws on HMRC's UK tax site

One Response to Researcher finds 'serious' security flaws on HMRC's UK tax site

Recent Headlines

The psychological impact of phishing attacks on your employees

Canonical releases Ubuntu Linux 24.04 LTS 'Noble Numbat'

New tool lets enterprises build their own secure gen AI chatbots

Younger women are going into cybersecurity but more needs to be done

Politically motivated DDoS attacks on the rise

TCL 50 XL 5G Android smartphone hits Metro by T-Mobile: Big features, small price

The increasing sophistication of synthetic identity fraud

Most Commented Stories

Say goodbye to Microsoft Windows 11 and hello to Nitrux Linux 3.4.0 'pl'

The stunning Windows 13 -- yes, 13! -- is the Microsoft operating system we want

Microsoft 'improves' Windows 11 by bringing ads to the Start menu in the US

Microsoft is up to its old tricks yet again -- Windows 10 users harassed with full-screen Windows 11 upgrade warnings

Outrageous: Microsoft to charge $61 for Windows 10 updates -- consider switching to Linux!

Windows 11 slammed for its 'comically bad' performance even on high-end hardware

Microsoft releases preview version of Office 2024 for Windows and macOS -- download it now!

Easter giveaway! Get a licensed copy of 'VideoProc Converter for Windows/Mac' (worth $78.90) for FREE