A UK-based, Pakistani origin cyber security researchers has recently exposed vulnerabilities in Florida’s revenue department’s website. He found that a website run by the Florida Department of Revenue had been exposing personal data, including Social Security numbers and bank account information, submitted by individuals filing for business tax registrations.
This bug was reported to state officials on October 27 of last year. The flaw made it possible for external users to view registration data submitted by taxpayers.
The Florida Department of Revenue confirmed that the exposed data included 417 business tax registrations containing people’s confidential information.
The researcher, Kamran Mohsin, told Pakscience that he discovered the vulnerability while assisting a friend who was starting an online store and registered for a business license in Florida.
Mohsin said he discovered an access-control flaw in the website that allows access to individual filings without authorization. This type of vulnerability is often known as an insecure direct object reference, or IDOR, which occurs when data is kept on a server with weak or non-existent security protocols.
Mohsin’s discovery was first reported by TechCrunch.
Screenshots shared by Mohsin show tax filers’ names, home and business addresses, tax identification numbers and other personal details.
In an emailed statement, the Florida Department of Revenue said it verified the vulnerability after being contacted by Mohsin and immediately removed the tax-registration application from external access.
The vulnerability was corrected within 24 hours, and two external vendors confirmed the fix, according to state officials.
The agency also said it contacted the 417 taxpayers whose data was confirmed to have been exposed within two days of learning about the exposure and has offered those individuals a year of free credit monitoring. There’s no evidence any of the data has been exploited by malicious actors.
Mohsin told the media that he never heard back from Florida officials. State officials have not always taken kindly to discoveries of vulnerabilities in government websites.