Florida’s state revenue department website had a security bug that allowed anyone to log in and access the sensitive data of other taxpayers.
Threat actors could have used this access to modify or even delete the contents of taxpayers, which now has over 700,000 applications within. Well, even before anyone does it, the department has patched this bug and sent out alerts to all the taxpayers involved in this incident.
Exposing PII of Taxpayers
A researcher named Kamran Mohsin has found a security bug on the website of Florida state’s department of revenue that allows anyone with log-in access to view, modify and delete others’ records. As of now, there are over 713,000 applications in the department’s portal.
And a breach of such would expose all the information stored in those applications! The researcher noted that (via TechCrunch) sensitive details like user’s bank data and social security numbers were involved in the incident, which may have been exposed.
Well, the revenue department quashed these doubts saying that no signs of such abuse had been recorded till now, and they patched the bug four days after it was informed by the researcher. The bug was said to be an insecure direct object reference and was relatively easy to fix.
But when up, anyone with log-in access could access the data of other taxpayers by simply modifying the website’s URL – where putting the target’s application number will retrieve their details without any authentication.
After patching it, the department said it had informed all the affected taxpayers through phone calls or writing and even offered a free credit monitoring service for one year – as a precautionary measure.
Other Trending News:- News