Slashdot Mirror


Web Based Turbo Tax Disclosure Vulnerability Found

Anonymous MPLS Coward writes "Looks like the web-based Turbo Tax was allowing some users to look at other user's tax return information. Reports state that things like bank routing information was available as well as SSNs. Turbo Tax software was unaffected; the bug is in the web-based Turbo Tax service."

7 of 110 comments (clear)

  1. Penalty for the developers by davidmillions.com · · Score: 5, Insightful

    Companies should be penalized for something so severe to let them know that they need to do a better job in the future.

  2. Re:Exaggerated synopsis by HomelessInLaJolla · · Score: 3, Insightful

    Nothing is ensured, though. If one random user can happen to stumble across a flaw then there are probably ten or twenty other flaws which can be found by more detailed analysis of the code.

    The original software authors probably already know most of them and are happily passing that information along to their friends in political office--or to their cohorts on IRC.

    --
    the NPG electrode was replaced with carbon blac
  3. Wearing Jackets with Bull's Eyes by bill_mcgonigle · · Score: 4, Insightful

    The Turbotax.com offering really does sound like a good idea, for the taxpayer, but I still bought the boxed version and won't E-File. These guys are taking perhaps millions of people's sensitive data online, into a database that's Internet accessible. Even if their admins have done the best possible job (let's assume they have) their software has undiscovered vulnerabilities, at least as far as the whitehat community is concerned.

    Now, factor in the fact that there is a smart blackhat community and this database is about the most delicious thing an high-tech organized-crime-sponsored identity thief can imagine - and sometimes it just doesn't make sense to walk around wearing a jacket with a bull's eye painted on the back, even if you're not a coward.

    As far as not E-filing, it also costs the IRS more to process, so that at least helps to keep one more negative about the income tax on the board.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  4. Re:Exaggerated synopsis by LighterShadeOfBlack · · Score: 3, Insightful

    If this was actually in the wild, or exploited, that'll be big How do you know it wasn't? This isn't the kind of thing where if it's being exploited people would know it. If the wrong person discovered this first then obviously they wouldn't be running around telling people that they'd found a security hole which they were currently exploiting for their own personal profit.
    --
    Spelling mistakes, grammatical errors, and stupid comments are intentional.
  5. Re:Until... by maxume · · Score: 3, Insightful

    You have to balance a punishment like that against encouraging disclosure. Personally, if my data is lost, I'd rather be sure I hear about it than have the government make a buck.

    --
    Nerd rage is the funniest rage.
  6. Re:Exaggerated synopsis by uofitorn · · Score: 3, Insightful

    If this was actually in the wild

    Well, it was in the wild. It was on their production website, accessible to the public. Any number of less well intentioned individuals could have taken advantage of the flaw before it was actually reported to Turbo Tax.

    If it was in beta or development code, and the flaw was found internally, then it would be as you say.

    --
    "What kind of music do pirates listen to?" -Paul Maud'dib
    "Yeeeaaarrrrr n' Bee!!" -Stilgar, Leader of Sietch Tabr
  7. Re:I'll never go near turbo tax again. by ptbarnett · · Score: 5, Insightful
    You probably made a data entry error in TurboTax -- not necessarily entering the wrong amount, but clicking the "yes" button when you should have clicked "no" (or vice versa).

    Based on the difference in taxes ($280 owed vs. $700 refund = net $980) and presuming a 28% marginal tax rate, the difference in taxable income was $980 / 0.28 = 3,500).

    The personal exemption was $3,100 for tax year 2004. All you had to do was enter the personal exemption incorrectly (as in accidentally tell it you could were being claimed as a deduction on someone else's return), and you would have gotten the results you observed.

    If your taxes were that simple, just looking at the generated 1040 (or 1040A) would have revealed whatever error (yours or theirs) that was occuring. So, I'm skeptical of your claim.