
'Serious' security flaws found on official UK tax site - scaryclam
http://www.bbc.co.uk/news/technology-41188008
======
morrbo
So although they are alright findings (arbitrary url redirect and dom-ish xss)
the main take away from the article is that it is WAY too hard to contact
anyone from any form of CERT in the UK whatsoever.

I've tried myself to report vulnerabilities[1] and it's nearly impossible to
find even the most generic of contact emails. I usually end up passing the
info on to friends who do more gov work than myself. There REALLY needs to be
a generic cert/security@gov.uk email somewhere.

[1] not going out of my way to find anything, but in the past if i receive a
(usually HMRC related) phishing email from a .gov domain, i'll try and dig up
a CERT email, or JANET if it is university related.

~~~
zemnmez
while, yes I did want to make out in the second half just how difficult it was
to get in contact with a CERT, it's sad to hear the other half put down to
'alright findings'...

Sure, the first issue that made me get into tax bug hunting was a run-of-the-
mill open redirect, but the second issue is an interesting DOMXSS in an
obfuscated vendor codebase with a WAF bypass alongside some technical
commentary I worked really hard on that allows you to _read and write
financial data_. It's sad to see that equally significant portion of my work
dismissed as 'alright findings'.

~~~
orf
Don't feel diminished by comments like that. From a technical point of view
the issues are great, but I think the parent comment was referring to the
overall 'jist' of the issues - no SQL injection, RCE or other 'stupid'
findings that indicate serious underlying problems with the site. The issues
are 'alright', which lies between 'silly' (banner disclosure) and 'everything
is fucked' (db access)

Also, more generally, don't take internet comments personally. You know how
much effort you put in, and your writing reflects that. You're on BBC news for
god's sake, congratulations.

Also 2, amazing writeup. I love your style, it rings a bell. #ezbake ?

~~~
zemnmez
thank you. I may have reacted excessively. I'm glad you enjoyed it :)

------
lol768
Here's the direct link to the report: [https://medium.com/@Zemnmez/how-to-
hack-the-uk-tax-system-i-...](https://medium.com/@Zemnmez/how-to-hack-the-uk-
tax-system-i-guess-3e84b70f8b)

It's a neat write-up - the security folks at Twitch do some great work and
this is no exception.

Seems like HMRC really need to work on a responsible disclosure system of some
sort, I'm surprised that there are no security@ emails.

I'm also left wondering if Content-Security-Policy could have helped with that
XSS.

------
fimdomeio
Let me just share a moment of my personal pain.

In Portugal you fill the taxes in a java application that run in a browser
after accepting an invalid security certificate and I always have the feeling
that the app as way more access to my computer than it should (saving files is
done in a custom interface, not native windows). I'm filled with deep profound
sadness and conspiracy theories every single time I have to login to that
system.

It is also presented in a web page with a scrollbar and an applet with it's
own scrollbars, so it's always a mystery where you'll end up after a mouse
scroll.

~~~
msantos
Brazil is not much different. And to make matters worse, almost every
Brazilian government agency that offers online services do so using their
"self" signed certificates. Now imagine how hard it's to educate people not to
click on dodgy websites and certificates, when the whole government does
exactly the opposite.

I say self signed certificates because it's been 10 years that Brazil nic is
trying to get its CA approved.

[https://bugzilla.mozilla.org/show_bug.cgi?id=438825](https://bugzilla.mozilla.org/show_bug.cgi?id=438825)

------
throwawaythrow1
Oh boy, I used to work at GDS and I met some people from HMRC about their
Childcare voucher system thingy. And it used similar techniques to this, I
raised it directly with them but they didn't think it was an issue, and my
comments were drowned out by a talking shop of technocratic circle jerking.

~~~
TazeTSchnitzel
At least GDS strong-armed HMRC into using CSS from the 21st century.

------
chrisacky
I can't imagine the motives anyone would want to try and volunteer information
about vulnerabilities to the UK gov. Maybe I'm naive, but there's so much
hostility towards whitehat researchers that I'd assume Zemnmez is now on some
"list" and being monitored/watched/flagged.

What's the reward/risk?

~~~
noir_lord
I think we are all on the list. Visiting Linux forums got some of us on the
list. I can't imagine that visiting HN wouldn't.

I just assume they are monitoring everything I do online anyway.

~~~
symlinkk
why would HN put you on a list?

~~~
grzm
I read your parent as _others_ noticing you're visiting HN (or other sites),
not that the site itself is keeping such lists.

------
neoh
Since when did CSRF and open redirect exploits become serious? Quite common
and minor really.

~~~
lol768
Why is CSRF relevant here?

It was an XSS, which has been considered high priority by most people for a
while: [https://bugcrowd.com/vulnerability-rating-
taxonomy](https://bugcrowd.com/vulnerability-rating-taxonomy)

As he mentioned in the write-up I linked, you could use this for both
retrieving data and performing actions.

------
occultist_throw
Well, then perhaps it's time to start talk of selling vulnerabilities on the
Dark Web to compensate for our time?

It may be brutish, bad, evil, or whatever. Id report willingly for open source
or software Ive bought for bug reports or vuln reports. But if I find a
serious security issue, I expect to be compensated. And if an org makes it
impossible to even contact them, I'll go to their, <ahem> competitors. They do
pay.

Perhaps organizations need to be reminded of this.

------
AgentME
I once got a parking ticket, and I was trying to figure out how to pay it
online. I found a site for the city that I was supposed to put in my license
plate number and my date of birth to look up a parking ticket in order to pay
it online. I realized that the car was registered to one of my parents,
honestly I wasn't sure I had their birthdays exactly memorized, and I couldn't
contact both of them at that very moment, so I tried guessing a few dates for
the birthday field. I got frustrated, and ... well I've participated in a
number of security CTF challenges / puzzle games, where SQL injection is a
common technique you're expected to do, and step 1 of many CTF challenges is
to literally put the following characters into each text field you find:

    
    
        ' OR 'A'='A 
    

It's like the SQL-injection version of "open sesame". It's generic, fitting a
common coding mistake, not tailored to any specific site. It's a force of
habit to use while working on CTF challenges ... Desperate to solve my problem
of finding my own parking ticket, I reached to that knowledge without really
thinking about it and used it. It worked, and the page showed me hundreds of
parking tickets with people's full names, license plate and driver license
IDs, addresses, and ticket amounts and descriptions. (A glance showed a few
people were racking up thousands of dollars of parking tickets, seriously
wtf?) I worried about what I did and closed the site. (Well first I scrolled
through the list to see if my own parking ticket was there. It wasn't. Turns
out where my parking ticket was given was actually in a different city; I was
checking the wrong site to begin with.)

I thought about reporting it, but given that I already exploited it and saw
private information, I thought twice. I've reported security issues at sites
before, but never at a government site or involving me having seen people's
private information. I got panicky and just closed the site. I don't _owe_
them the report and the risk it puts me at. It's a nice thing I do for people
who invite it or when the risk is low, but somehow I think legal actions are
more likely from the site for a local court. If anyone _owes_ anyone, it's the
developers for risking people's information so carelessly and for putting me
into this type of bind, but somehow I think if I reported this I think I'd be
the only one at risk of being treated as a criminal.

I'm not fully sure why I felt compelled to think this was all relevant to this
thread. Maybe just to illustrate some of the stress that comes from the
vulnerability-reporting side of things. If you want secure systems and for
people to report issues as they see them, then sometimes you need to invite
the reporters. The difficulty described in the article of even reporting the
issue makes me think I'm probably very far from alone in avoiding reporting
this type of thing.

------
megawatthours
Is there a standard way to avoid attacks based on abusing your
window.location.replace() calls?

~~~
kevin_thibedeau
NoScript

------
pbhjpbhj
A fun and informative write-up.

------
albertgoeswoof
I don't think this is a huge step up over a standard phishing attack. A savvy
user would notice that the redirected URL doesn't have an EV cert (it might
not even have SSL at all). They would probably check the email address the
link came from as well.

A non-savvy user would not check the email and would click any link they're
sent, redirect, ssl or not. So you might as well send them a standard phishing
link.

This means you're targeting users inbetween these two classes, so maybe it's
effective for a very specific attack. And if someone is that determined
they'll get in no matter what.

Plus 2fa is there on HMRC, if they request a fresh code before any major
changes are made it would make it very difficult to do any serious damage.

~~~
IshKebab
Read the actual blog: [https://medium.com/@Zemnmez/how-to-hack-the-uk-tax-
system-i-...](https://medium.com/@Zemnmez/how-to-hack-the-uk-tax-system-i-
guess-3e84b70f8b)

This is a perfect phishing attack (only short of being able to send a valid
email from @gov.uk). The user is always on .gov.uk and it always has a valid
EV certificate.

