Hacker News new | comments | show | ask | jobs | submit login
'Serious' security flaws found on official UK tax site (bbc.co.uk)
138 points by scaryclam 94 days ago | hide | past | web | favorite | 32 comments

So although they are alright findings (arbitrary url redirect and dom-ish xss) the main take away from the article is that it is WAY too hard to contact anyone from any form of CERT in the UK whatsoever.

I've tried myself to report vulnerabilities[1] and it's nearly impossible to find even the most generic of contact emails. I usually end up passing the info on to friends who do more gov work than myself. There REALLY needs to be a generic cert/security@gov.uk email somewhere.

[1] not going out of my way to find anything, but in the past if i receive a (usually HMRC related) phishing email from a .gov domain, i'll try and dig up a CERT email, or JANET if it is university related.

while, yes I did want to make out in the second half just how difficult it was to get in contact with a CERT, it's sad to hear the other half put down to 'alright findings'...

Sure, the first issue that made me get into tax bug hunting was a run-of-the-mill open redirect, but the second issue is an interesting DOMXSS in an obfuscated vendor codebase with a WAF bypass alongside some technical commentary I worked really hard on that allows you to read and write financial data. It's sad to see that equally significant portion of my work dismissed as 'alright findings'.

Don't feel diminished by comments like that. From a technical point of view the issues are great, but I think the parent comment was referring to the overall 'jist' of the issues - no SQL injection, RCE or other 'stupid' findings that indicate serious underlying problems with the site. The issues are 'alright', which lies between 'silly' (banner disclosure) and 'everything is fucked' (db access)

Also, more generally, don't take internet comments personally. You know how much effort you put in, and your writing reflects that. You're on BBC news for god's sake, congratulations.

Also 2, amazing writeup. I love your style, it rings a bell. #ezbake ?

thank you. I may have reacted excessively. I'm glad you enjoyed it :)

Pretty much exactly what Orf said below. The writeup was great and you did a fantastic job of knowledge sharing (which is what this is all about tbh). However the "alright" refers to the two aforementioned medium risk issues.

When i saw "serious vulnerabilities" on a BBC news site, i figured - especially with the open sourcing of payg/gov code, the recent struts vulnerability, etc. etc. - there was going to be something really major, and felt a bit clickbaited. Don't take it personally, as it was never aimed at being personal.

yeah, I'm sorry there ... I thought this was pointed directly at my article. I agree on the scale of things that could have potentially happened that these things are in middle of the scale.

But I do respectfully disagree that they can't be referred to as serious. It may be an XSS -- not critical in traditional bug taxonomies, and perhaps in an alternate future I could have dumped the whole DB but it is also an xss in a tax system.

Again, sorry for perhaps over-reacting there.

>if i receive a (usually HMRC related) phishing email from a .gov domain


>We've already started some experiments in this area with pioneering UK SME Netcraft. They're off looking for phishing hosted in the UK, webinject malware hosted in the UK and phishing anywhere in the world that targets a UK government brand. When they find it, they ask the hosting provider to take down the offending site. It's surprisingly effective and again generates data we can use. We'll definitely do more in this space.

I suspect you can forward these to scam@netcraft.com to get the upstream providers automatically notified and the site monitored until it's down.

It's not so much malware, it's mainly open relays which are being used to bypass spam filters on hotmail et al. due to coming from a "legit" .gov or .edu domain.

It has been a while since i've received one though in all fairness.

*edit - sorry just read it properly, both malware and generic phishing. Sorry! Even so though it would be really nice to have a streamlined process to go "hey, <shitty local council> has an open relay" whereby someone from within the UK gov could just forward on the email to the IT guy up there to at least make them aware of the issue.

The IT guy is attending DefCon on the council budget.

> I suspect you can forward these to scam@netcraft.com to get the upstream providers automatically notified and the site monitored until it's down.

This is accurate. Source: worked at Netcraft until recently.

Also, if the automated system rejects your report (Netcraft handles an awful lot of reports, false positives are unavoidable), reply to the rejection message explaining that you think it shouldn't be rejected and your message will be read and handled by a technical human.

It's even worse when you actually have an issue with tax repayments due.

I don't have a UK passport and they had moved me to the passport authentication on the website. Literally had contacted them a good 5 times; each time waiting for at least 3 weeks for the reply, contstantly getting a pre-set response.

Ended up asking my accountant to tell me if my balance is not in check.

Can't say anything of the quality of the service itself though - that seems to be OK when it works. But their support is horrendous.

Here's the direct link to the report: https://medium.com/@Zemnmez/how-to-hack-the-uk-tax-system-i-...

It's a neat write-up - the security folks at Twitch do some great work and this is no exception.

Seems like HMRC really need to work on a responsible disclosure system of some sort, I'm surprised that there are no security@ emails.

I'm also left wondering if Content-Security-Policy could have helped with that XSS.

Let me just share a moment of my personal pain.

In Portugal you fill the taxes in a java application that run in a browser after accepting an invalid security certificate and I always have the feeling that the app as way more access to my computer than it should (saving files is done in a custom interface, not native windows). I'm filled with deep profound sadness and conspiracy theories every single time I have to login to that system.

It is also presented in a web page with a scrollbar and an applet with it's own scrollbars, so it's always a mystery where you'll end up after a mouse scroll.

Brazil is not much different. And to make matters worse, almost every Brazilian government agency that offers online services do so using their "self" signed certificates. Now imagine how hard it's to educate people not to click on dodgy websites and certificates, when the whole government does exactly the opposite.

I say self signed certificates because it's been 10 years that Brazil nic is trying to get its CA approved.


I would run that in a virtualbox VM.

Oh boy, I used to work at GDS and I met some people from HMRC about their Childcare voucher system thingy. And it used similar techniques to this, I raised it directly with them but they didn't think it was an issue, and my comments were drowned out by a talking shop of technocratic circle jerking.

At least GDS strong-armed HMRC into using CSS from the 21st century.

I can't imagine the motives anyone would want to try and volunteer information about vulnerabilities to the UK gov. Maybe I'm naive, but there's so much hostility towards whitehat researchers that I'd assume Zemnmez is now on some "list" and being monitored/watched/flagged.

What's the reward/risk?

I think we are all on the list. Visiting Linux forums got some of us on the list. I can't imagine that visiting HN wouldn't.

I just assume they are monitoring everything I do online anyway.

why would HN put you on a list?

I read your parent as others noticing you're visiting HN (or other sites), not that the site itself is keeping such lists.

The reward is not having someone put you on the hook for unlimited fines by, for example, filing taxes for you with a credit card number as you annual income.

Since when did CSRF and open redirect exploits become serious? Quite common and minor really.

Why is CSRF relevant here?

It was an XSS, which has been considered high priority by most people for a while: https://bugcrowd.com/vulnerability-rating-taxonomy

As he mentioned in the write-up I linked, you could use this for both retrieving data and performing actions.

Well, then perhaps it's time to start talk of selling vulnerabilities on the Dark Web to compensate for our time?

It may be brutish, bad, evil, or whatever. Id report willingly for open source or software Ive bought for bug reports or vuln reports. But if I find a serious security issue, I expect to be compensated. And if an org makes it impossible to even contact them, I'll go to their, <ahem> competitors. They do pay.

Perhaps organizations need to be reminded of this.

I once got a parking ticket, and I was trying to figure out how to pay it online. I found a site for the city that I was supposed to put in my license plate number and my date of birth to look up a parking ticket in order to pay it online. I realized that the car was registered to one of my parents, honestly I wasn't sure I had their birthdays exactly memorized, and I couldn't contact both of them at that very moment, so I tried guessing a few dates for the birthday field. I got frustrated, and ... well I've participated in a number of security CTF challenges / puzzle games, where SQL injection is a common technique you're expected to do, and step 1 of many CTF challenges is to literally put the following characters into each text field you find:

    ' OR 'A'='A 
It's like the SQL-injection version of "open sesame". It's generic, fitting a common coding mistake, not tailored to any specific site. It's a force of habit to use while working on CTF challenges ... Desperate to solve my problem of finding my own parking ticket, I reached to that knowledge without really thinking about it and used it. It worked, and the page showed me hundreds of parking tickets with people's full names, license plate and driver license IDs, addresses, and ticket amounts and descriptions. (A glance showed a few people were racking up thousands of dollars of parking tickets, seriously wtf?) I worried about what I did and closed the site. (Well first I scrolled through the list to see if my own parking ticket was there. It wasn't. Turns out where my parking ticket was given was actually in a different city; I was checking the wrong site to begin with.)

I thought about reporting it, but given that I already exploited it and saw private information, I thought twice. I've reported security issues at sites before, but never at a government site or involving me having seen people's private information. I got panicky and just closed the site. I don't owe them the report and the risk it puts me at. It's a nice thing I do for people who invite it or when the risk is low, but somehow I think legal actions are more likely from the site for a local court. If anyone owes anyone, it's the developers for risking people's information so carelessly and for putting me into this type of bind, but somehow I think if I reported this I think I'd be the only one at risk of being treated as a criminal.

I'm not fully sure why I felt compelled to think this was all relevant to this thread. Maybe just to illustrate some of the stress that comes from the vulnerability-reporting side of things. If you want secure systems and for people to report issues as they see them, then sometimes you need to invite the reporters. The difficulty described in the article of even reporting the issue makes me think I'm probably very far from alone in avoiding reporting this type of thing.

Is there a standard way to avoid attacks based on abusing your window.location.replace() calls?


A fun and informative write-up.

I don't think this is a huge step up over a standard phishing attack. A savvy user would notice that the redirected URL doesn't have an EV cert (it might not even have SSL at all). They would probably check the email address the link came from as well.

A non-savvy user would not check the email and would click any link they're sent, redirect, ssl or not. So you might as well send them a standard phishing link.

This means you're targeting users inbetween these two classes, so maybe it's effective for a very specific attack. And if someone is that determined they'll get in no matter what.

Plus 2fa is there on HMRC, if they request a fresh code before any major changes are made it would make it very difficult to do any serious damage.

Read the actual blog: https://medium.com/@Zemnmez/how-to-hack-the-uk-tax-system-i-...

This is a perfect phishing attack (only short of being able to send a valid email from @gov.uk). The user is always on .gov.uk and it always has a valid EV certificate.

The redirected URL in this case is another vulnerability on www.tax.service.gov.uk, so there'd be no tells from the domain or SSL configuration. If the email was well-crafted (spoofed hmrc.gov.uk, plausible contents etc.), it'd be very difficult to notice anything was amiss (unless you spot the obfuscated javascript in the URL AND recognise that it shouldn't be there).

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact