Pakistani-origin cybersecurity researcher finds flaws in US’ Florida state website

A UK-based, Pakistani origin cyber security researchers has recently exposed vulnerabilities in Florida’s revenue department’s website. He found that a website run by the Florida Department of Revenue had been exposing personal data, including Social Security numbers and bank account information, submitted by individuals filing for business tax registrations.

This bug was reported to state officials on October 27 of last year. The flaw made it possible for external users to view registration data submitted by taxpayers.

The Florida Department of Revenue confirmed that the exposed data included 417 business tax registrations containing people’s confidential information.

The researcher, Kamran Mohsin, told Pakscience that he discovered the vulnerability while assisting a friend who was starting an online store and registered for a business license in Florida.

Related: Pakistani IT researcher wins $15k for finding severe security flaws in inDriver mobile app

Mohsin said he discovered an access-control flaw in the website that allows access to individual filings without authorization. This type of vulnerability is often known as an insecure direct object reference, or IDOR, which occurs when data is kept on a server with weak or non-existent security protocols.

Mohsin’s discovery was first reported by TechCrunch.

Screenshots shared by Mohsin show tax filers’ names, home and business addresses, tax identification numbers and other personal details.

Related: India’s offensive cyber capability Pakistan-focused and not tuned towards China, Study Claims

In an emailed statement, the Florida Department of Revenue said it verified the vulnerability after being contacted by Mohsin and immediately removed the tax-registration application from external access.

The vulnerability was corrected within 24 hours, and two external vendors confirmed the fix, according to state officials.

The agency also said it contacted the 417 taxpayers whose data was confirmed to have been exposed within two days of learning about the exposure and has offered those individuals a year of free credit monitoring. There’s no evidence any of the data has been exploited by malicious actors.

Mohsin told the media that he never heard back from Florida officials. State officials have not always taken kindly to discoveries of vulnerabilities in government websites.

Related: Global tech giant SAP plans to leverage cloud computing technology in Pakistan


Liked it? Share it with others too.

Leave a Reply

Your email address will not be published. Required fields are marked *