'Serious' security flaws found on official UK tax site

image copyrightOli Scarff
image captionReporting the website flaws took far longer than finding them

The UK tax office must improve its handling of website security problems, says an expert who spent 57 days trying to report a bug.

The researcher, called Zemnmez, found two separate flaws on HMRC's online tax service.

He said finding who to report the issues to was more challenging than finding the bugs.

HMRC said it had addressed the problems and was looking at improving ways for people to get in touch.

Zemnmez said exploiting either flaw could have let attackers view or modify tax records or harvest key details from Britons.

"I spent days reaching out to half a dozen different government social media accounts attempting to find where the right place to go was and got nothing meaningful in response," he told the BBC.

The UK's National Cyber Security Centre - contacted through friends with intelligence connections - was key in helping get the security problems solved, he added.

Common weakness

Clues that the HMRC site was vulnerable to attack were picked up by Zemnmez as he was using the site to check his taxes.

His expertise and experience in finding similar bugs on other websites suggested that the way the HMRC log-in system interacted with his browser left it vulnerable to some well-known attacks.

After a short period of experimentation, he found that it was possible to use the HMRC site as a "forwarding service" and send a victim to any site an attacker wanted.

"This could be used to coax the victim into revealing financial information, credentials and usernames and passwords," he said.

image copyrightmaciek905
image captionFinding the flaws involved digging in to the code of the HMRC site

This type of bug is known as an open redirect vulnerability and is a common weakness found on lots of different sites, he added.

The second security issue took longer to uncover, said Zemnmez, but was potentially more damaging as, if exploited, it could give an attacker control over a victim's information, potentially letting them modify it.

Ironically, he said, the code vulnerable to this serious bug was found in a website script used to digitally fingerprint users for fraud protection.

Exploiting this bug would have been much trickier for cyber-thieves, he said, adding that it was likely that anyone interested in attacking the HMRC site would use more straightforward methods to get people to hand over information.

'Very frustrating'

In response, an HMRC spokesman said: "HMRC has addressed the vulnerabilities mentioned in this article and we undertake regular testing of our systems."

He added: "HMRC takes the protection of customer data very seriously and invests heavily to secure our services."

Zemnmez said that although finding the security issues was straightforward, tracking down people in government that could help fix them proved to be "very frustrating".

While trying to report the issues he found, Zemnmez discovered that the UK government does run a "responsible disclosure" programme that seeks reports of problems with government sites and services.

However, he said, the fact that it was invitation-only limited its usefulness.

image copyrightCarl Court
image captionThe National Cyber Security Centre advises UK government on security

"I understand the significant difficulties involved in these programmes," he told the BBC. "If a programme were opened to the public to disclose issues without very significant and robust preparation, it would quickly become totally overwhelmed by the volume of reports, both valid and invalid."

Despite this, he said, there should be a way for government to handle reports from seasoned security experts who let them know about problems with the most sensitive official systems.

The HMRC said it was in close contact with the NCSC about the way it handled security.

It said: "HMRC is working with the NCSC to ensure that there is a single route for reporting security vulnerabilities to government.

"HMRC is also working to ensure that our internal processes are better streamlined to ensure that those reporting vulnerabilities are contacted in good time."

More on this story