Web Based Turbo Tax Disclosure Vulnerability Found

Anonymous MPLS Coward writes "Looks like the web-based Turbo Tax was allowing some users to look at other user's tax return information. Reports state that things like bank routing information was available as well as SSNs. Turbo Tax software was unaffected; the bug is in the web-based Turbo Tax service."

Penalty for the developers

[davidmillions.com]

Companies should be penalized for something so severe to let them know that they need to do a better job in the future.

Re:Penalty for the developers

[CodeBuster]

Agreed. This is the same kind of crap that I see all of the time from inexperienced developers (especially offshore developers in India). They make all of the classic mistakes, client side javascript for input validation, use of query string parameters with the the SQL command builder on their pages (SQL injections galore), administrative query access to the SQL server directly from the web server, "secret" admin pages, cross-site scripting, you name it and they do it. The problem with a significant portion of the Indian developers is that they are are too busy waving their IIT degree, ISO certs, and other documentation of their extensive education, which taught them everything they needed to know, so they don't need to listen to American devs who have a few lessons left to teach them from school of hard knocks. They suffer from the "not invented here" syndrome, sometimes to an extreme, and thus earn themselves nasty surprises when the attack finally comes and catches them completely flat-footed. The really sad part about all of this is that same types of attacks are used again and again and the same developers keep building vulnerable sites again and again...even long after the attacks are known and proper designs have been presented on many developer forums to avoid these problems (i.e. use stored procedures, limit database permissions to those stored procedures only, don't use the query string for sensitive data, use regular expressions to validate user input data on the server side, etc...)

Exaggerated synopsis

[SpiffyMarc]

The synopsis makes it seem like this was a bigger deal than it is. If this was actually in the wild, or exploited, that'll be big -- but as the article is written, one person stumbled across this problem, reported it, and Intuit fixed it.

Re:Exaggerated synopsis

[HomelessInLaJolla]

Nothing is ensured, though. If one random user can happen to stumble across a flaw then there are probably ten or twenty other flaws which can be found by more detailed analysis of the code.

The original software authors probably already know most of them and are happily passing that information along to their friends in political office--or to their cohorts on IRC.

Re:Exaggerated synopsis

[LighterShadeOfBlack]

If this was actually in the wild, or exploited, that'll be big How do you know it wasn't? This isn't the kind of thing where if it's being exploited people would know it. If the wrong person discovered this first then obviously they wouldn't be running around telling people that they'd found a security hole which they were currently exploiting for their own personal profit.

Re:Exaggerated synopsis

[uofitorn]

If this was actually in the wild

Well, it was in the wild. It was on their production website, accessible to the public. Any number of less well intentioned individuals could have taken advantage of the flaw before it was actually reported to Turbo Tax.

If it was in beta or development code, and the flaw was found internally, then it would be as you say.

Wearing Jackets with Bull's Eyes

[bill_mcgonigle]

The Turbotax.com offering really does sound like a good idea, for the taxpayer, but I still bought the boxed version and won't E-File. These guys are taking perhaps millions of people's sensitive data online, into a database that's Internet accessible. Even if their admins have done the best possible job (let's assume they have) their software has undiscovered vulnerabilities, at least as far as the whitehat community is concerned.

Now, factor in the fact that there is a smart blackhat community and this database is about the most delicious thing an high-tech organized-crime-sponsored identity thief can imagine - and sometimes it just doesn't make sense to walk around wearing a jacket with a bull's eye painted on the back, even if you're not a coward.

As far as not E-filing, it also costs the IRS more to process, so that at least helps to keep one more negative about the income tax on the board.

No!

[Bluesman]

Not my bank routing number!

Someone please fix this before someone finds out how to deposit money into my account!

Re:No!

[ZorbaTHut]

I am currently holding in my hand a wire transfer request, dating from a few months ago when I sent money to a friend with an unexpected catastrophe. It asks for very few things.

* Date/time of original request
* "Teller ID" (I called them to ask how to do this and they gave me this bit of information)
* Member name
* Member number (this is embedded in the routing number for my savings account)
* Daytime phone
* Amount
* Information on who gets the money
* Signature

The only parts of this which could be used for authentication:

* The fact that I called
* My name
* My member number
* My phone number
* My signature

Given my tax forms, one could easily find my name and phone number, and if I had chosen the option to wire to or from my checking account, my member number as well. (This is why I would have sent a check, although that doesn't help particularly since the number is still written on the check. I got a refund, however, so they'll be sending me a check instead and I don't have to worry about that particular hole.)

Calling them is easily doable by someone who isn't me. My signature, as much as I hate to admit it, is awful and pretty easily forgeable.

So, in summary: the information on a tax return is a significant fraction of what is needed to withdraw money from someone else's account. It may not be enough. But it certainly helps.

Perhaps we're looking at this the wrong way

[psaunders]

Think of it more as a useful, undocumented feature. Not only can you do your own tax return online, now you can do other people's! Well done to the good folks at Turbo Tax for coming up with it.

Oh, swell!

[Tokerat]

I just filed my taxes with TurboTax Online! Great, now I'm going to be hacked, and then audited and the IRS is going to repossess all of my belon

NO CARRIER

Re:Until...

[maxume]

You have to balance a punishment like that against encouraging disclosure. Personally, if my data is lost, I'd rather be sure I hear about it than have the government make a buck.

This is nothing new

[msblack]

On-line websites have been a major source of information security breaches. A few years ago I was able to perform reverse-directory lookups on Verizon customers. Their DSL registration website was one such problem. After a customer entered his/her telephone number to verify DSL availability, the website displayed the corresponding customer's name and billing address, asking "is your information correct?"

Not the first time this year!

[SD_92104]

It is very scary to see how much value Intuit seems to put to customer's data and how much they learn from past mistakes...

On January 6th this year I received an email from TurboTax Online with the subject
"TurboTax User ID Enclosed: Online Products Now Available!"

Problem being that - in addition to my UserID - it also contained two other (seemingly random) UserID including a live link to their login pages. I tried to be nice and alert them of their security problem but it was not easy. After hunting through the website for a feedback/support link I could only find an online chat with one of their support people. It took me close to an hour to tell her about the problem (it somehow didn't seem to fit into her questionnaire flow chart...) and she promised that she would pass the information on to the tech department and that they would get back to me (yeah, right!). I also asked her repeatedly to delete my account including all data and she said it couldn't be done and that I wouldn't have anything to worry about as the data would be safe on their servers - apparently not.

Guess I should have been a little more aggressive and tell some news outlet about the problem than thinking that their internal procedures and security audits would be sufficient without additional pressure. I decided after that email to never again use the online TurboTax version (I never actually filed from it before as it was a little too limited) and looks like I made a smart choice.

Re:I'll never go near turbo tax again.

[ptbarnett]

You probably made a data entry error in TurboTax -- not necessarily entering the wrong amount, but clicking the "yes" button when you should have clicked "no" (or vice versa).

Based on the difference in taxes ($280 owed vs. $700 refund = net $980) and presuming a 28% marginal tax rate, the difference in taxable income was $980 / 0.28 = 3,500).

The personal exemption was $3,100 for tax year 2004. All you had to do was enter the personal exemption incorrectly (as in accidentally tell it you could were being claimed as a deduction on someone else's return), and you would have gotten the results you observed.

If your taxes were that simple, just looking at the generated 1040 (or 1040A) would have revealed whatever error (yours or theirs) that was occuring. So, I'm skeptical of your claim.

If you want American

[wytcld]

There's one tax software company doing their programming entirely in America, TaxAct (2nd Story Software. I haven't used their Web version, but their Windows version runs nearly flawlessly under Wine on Linux (there are minor problems with checkbox and drop-down list display on screen while filling out forms, but those show up correctly in the print preview and output). I've used TaxCut and TurboTax in past years; TaxAct doesn't have silly videos included, but it's efficient and effective.

I share the caution about Indian programmers. I just dropped checking and savings accounts with Ameriprise (formerly Amex Bank), because in the several years since they shipped the programming off to India they still haven't gotten their site to work reliably in its basic operations. Even before security is considered, the incompetence is amazing. Now I'm seeing a downgrading in the usability of CitiBank's Website, where there's also been extensive recent offshoring - they can't be bothered to test for obvious JavaScript bugs that block Mozilla, for example, even though previously they'd officially and effectively supported Mozilla/Netscape for years. (Hell, I do work for financial firms in NYC that don't even allow their own people to browse with IE.)