Security flaws in HMRC website could let hackers steal citizens’ tax filing details

Security flaws in HMRC website could let hackers steal citizens’ tax filing details

Chinese domains behind a third of HMRC phishing scams, finds study

The HMRC has plugged two serious security flaws in its tax filing service that allowed an ethical hacker to access sensitive financial information belonging to citizens.

Security flaws in the UK's tax filing service allowed hackers to view or modify a person's tax records and harvest his financial information.

In a detailed blog published on Friday, a security researcher going by the name Zemnmez has uncovered not only two major security vulnerabilities in the official tax filing website but also revealed how hard it is for a researcher to report security flaws to the HMRC and to get such flaws patched.

READ MORE: Consumers more wary of e-commerce sites than HMRC scams

Zemnmez described in detail two very neat methods that hackers may employ to harvest sensitive financial details of UK citizens from the HMRC's tax filing website.

While one of the flaws made it possible for a hacker to use the HMRC website as a "forwarding service" to send users to any other malicious website, the other flaw enabled hackers to harvest detailed tax filing details and other financial information belonging to UK citizens.

In the first case, Zemnmez exploited a flaw in the redirect parameter where a user is usually redirected to a different page once he fills in his login details on the HMRC website. By using an HTTP simple syntax in the redirect URL, Zemnmez was able to convince the software that the redirect URL was a related one and not a malicious one set up by hackers.

This way, he said, hackers could set up a site that looked like the HMRC service and gets citizens to fill in their taxes and unknowingly share their sensitive information in the process.

READ MORE: Ransomware attack hits NHS Lanarkshire, disrupts operations

The second, and more worrying, exploit involved getting the browser to be directed to a URL starting with ‘javascript:’ so that the browser could run a hacker's URL rather than HMRC's own URL. THis way, a hacker could view and even edit tax information belonging to citizens.

Considering that both security flaws needed immediate fixing, Zemnmez decided to contact the HMRC's security team to report them. After initial emails to security@gov.uk returned since there was no such email address, he decided to contact the government on Twitter and find out where to report security flaws. Further communications with the government and the NCSC didn't bring up any results until someone suggested him to call up the Press Office to report issues.

According to the NCSC's vulnerability disclosure policy, the organisation will work with 'an invited group of security practitioners' to identify and resolve vulnerabilities across public-facing systems in the public sector. What this means is that any researcher who is not invited by the government won't be able to effectively communicate and let the government know about security flaws that he discovered.

READ MORE: Stolen UK data costs nearly double the price of similar US details on the dark web

"I understand the significant difficulties involved in these programmes. If a programme were opened to the public to disclose issues without very significant and robust preparation, it would quickly become totally overwhelmed by the volume of reports, both valid and invalid," Zemnmez told the BBC.

After Zemnmez was finally able to let the HMRC know about the security flaws, the department fixed such flaws and is taking steps to improve ways in which researchers and ethical hackers can get in touch with it to report security flaws.

"HMRC has addressed the vulnerabilities mentioned in this article and we undertake regular testing of our systems. HMRC takes the protection of customer data very seriously and invests heavily to secure our services," said an HMRC spokesman.

Copyright Lyonsdown Limited 2020

Top Articles

Universal Health Services lost $67m to a Ryuk ransomware attack last year

Universal Health Services said the cyber attack cost it $67 million in remediation efforts, loss of acute care services, and other expenses.

How the human immune system inspired a new approach to cyber-security

Artificial intelligence is being used to understand what’s ‘normal’ inside digital systems and autonomously fight back against cyber-threats

Solarwinds CEO blames former intern for hilarious password fiasco

SolarWinds has accused a former intern of creating a very weak password for its update server and storing it on a GitHub server for months.

Related Articles