I've tried myself to report vulnerabilities and it's nearly impossible to find even the most generic of contact emails. I usually end up passing the info on to friends who do more gov work than myself. There REALLY needs to be a generic firstname.lastname@example.org email somewhere.
 not going out of my way to find anything, but in the past if i receive a (usually HMRC related) phishing email from a .gov domain, i'll try and dig up a CERT email, or JANET if it is university related.
Sure, the first issue that made me get into tax bug hunting was a run-of-the-mill open redirect, but the second issue is an interesting DOMXSS in an obfuscated vendor codebase with a WAF bypass alongside some technical commentary I worked really hard on that allows you to read and write financial data. It's sad to see that equally significant portion of my work dismissed as 'alright findings'.
Also, more generally, don't take internet comments personally. You know how much effort you put in, and your writing reflects that. You're on BBC news for god's sake, congratulations.
Also 2, amazing writeup. I love your style, it rings a bell. #ezbake ?
When i saw "serious vulnerabilities" on a BBC news site, i figured - especially with the open sourcing of payg/gov code, the recent struts vulnerability, etc. etc. - there was going to be something really major, and felt a bit clickbaited. Don't take it personally, as it was never aimed at being personal.
But I do respectfully disagree that they can't be referred to as serious. It may be an XSS -- not critical in traditional bug taxonomies, and perhaps in an alternate future I could have dumped the whole DB but it is also an xss in a tax system.
Again, sorry for perhaps over-reacting there.
>We've already started some experiments in this area with pioneering UK SME Netcraft. They're off looking for phishing hosted in the UK, webinject malware hosted in the UK and phishing anywhere in the world that targets a UK government brand. When they find it, they ask the hosting provider to take down the offending site. It's surprisingly effective and again generates data we can use. We'll definitely do more in this space.
I suspect you can forward these to email@example.com to get the upstream providers automatically notified and the site monitored until it's down.
It has been a while since i've received one though in all fairness.
*edit - sorry just read it properly, both malware and generic phishing. Sorry! Even so though it would be really nice to have a streamlined process to go "hey, <shitty local council> has an open relay" whereby someone from within the UK gov could just forward on the email to the IT guy up there to at least make them aware of the issue.
This is accurate. Source: worked at Netcraft until recently.
Also, if the automated system rejects your report (Netcraft handles an awful lot of reports, false positives are unavoidable), reply to the rejection message explaining that you think it shouldn't be rejected and your message will be read and handled by a technical human.
I don't have a UK passport and they had moved me to the passport authentication on the website. Literally had contacted them a good 5 times; each time waiting for at least 3 weeks for the reply, contstantly getting a pre-set response.
Ended up asking my accountant to tell me if my balance is not in check.
Can't say anything of the quality of the service itself though - that seems to be OK when it works. But their support is horrendous.
It's a neat write-up - the security folks at Twitch do some great work and this is no exception.
Seems like HMRC really need to work on a responsible disclosure system of some sort, I'm surprised that there are no security@ emails.
I'm also left wondering if Content-Security-Policy could have helped with that XSS.
In Portugal you fill the taxes in a java application that run in a browser after accepting an invalid security certificate and I always have the feeling that the app as way more access to my computer than it should (saving files is done in a custom interface, not native windows). I'm filled with deep profound sadness and conspiracy theories every single time I have to login to that system.
It is also presented in a web page with a scrollbar and an applet with it's own scrollbars, so it's always a mystery where you'll end up after a mouse scroll.
I say self signed certificates because it's been 10 years that Brazil nic is trying to get its CA approved.
What's the reward/risk?
I just assume they are monitoring everything I do online anyway.
It was an XSS, which has been considered high priority by most people for a while: https://bugcrowd.com/vulnerability-rating-taxonomy
As he mentioned in the write-up I linked, you could use this for both retrieving data and performing actions.
It may be brutish, bad, evil, or whatever. Id report willingly for open source or software Ive bought for bug reports or vuln reports. But if I find a serious security issue, I expect to be compensated. And if an org makes it impossible to even contact them, I'll go to their, <ahem> competitors. They do pay.
Perhaps organizations need to be reminded of this.
' OR 'A'='A
I thought about reporting it, but given that I already exploited it and saw private information, I thought twice. I've reported security issues at sites before, but never at a government site or involving me having seen people's private information. I got panicky and just closed the site. I don't owe them the report and the risk it puts me at. It's a nice thing I do for people who invite it or when the risk is low, but somehow I think legal actions are more likely from the site for a local court. If anyone owes anyone, it's the developers for risking people's information so carelessly and for putting me into this type of bind, but somehow I think if I reported this I think I'd be the only one at risk of being treated as a criminal.
I'm not fully sure why I felt compelled to think this was all relevant to this thread. Maybe just to illustrate some of the stress that comes from the vulnerability-reporting side of things. If you want secure systems and for people to report issues as they see them, then sometimes you need to invite the reporters. The difficulty described in the article of even reporting the issue makes me think I'm probably very far from alone in avoiding reporting this type of thing.
A non-savvy user would not check the email and would click any link they're sent, redirect, ssl or not. So you might as well send them a standard phishing link.
This means you're targeting users inbetween these two classes, so maybe it's effective for a very specific attack. And if someone is that determined they'll get in no matter what.
Plus 2fa is there on HMRC, if they request a fresh code before any major changes are made it would make it very difficult to do any serious damage.
This is a perfect phishing attack (only short of being able to send a valid email from @gov.uk). The user is always on .gov.uk and it always has a valid EV certificate.