Web Based Turbo Tax Disclosure Vulnerability Found

Anonymous MPLS Coward writes "Looks like the web-based Turbo Tax was allowing some users to look at other user's tax return information. Reports state that things like bank routing information was available as well as SSNs. Turbo Tax software was unaffected; the bug is in the web-based Turbo Tax service."

Not the first time this year!

[SD_92104]

It is very scary to see how much value Intuit seems to put to customer's data and how much they learn from past mistakes...

On January 6th this year I received an email from TurboTax Online with the subject
"TurboTax User ID Enclosed: Online Products Now Available!"

Problem being that - in addition to my UserID - it also contained two other (seemingly random) UserID including a live link to their login pages. I tried to be nice and alert them of their security problem but it was not easy. After hunting through the website for a feedback/support link I could only find an online chat with one of their support people. It took me close to an hour to tell her about the problem (it somehow didn't seem to fit into her questionnaire flow chart...) and she promised that she would pass the information on to the tech department and that they would get back to me (yeah, right!). I also asked her repeatedly to delete my account including all data and she said it couldn't be done and that I wouldn't have anything to worry about as the data would be safe on their servers - apparently not.

Guess I should have been a little more aggressive and tell some news outlet about the problem than thinking that their internal procedures and security audits would be sufficient without additional pressure. I decided after that email to never again use the online TurboTax version (I never actually filed from it before as it was a little too limited) and looks like I made a smart choice.