A U.K.-based researcher recently found that a website run by the Florida Department of Revenue had been exposing the personal data, including Social Security numbers and bank account information, submitted by individuals filing for business tax registrations.
The bug, which was reported to state officials on Oct. 27, made it possible for external users to view registration data submitted by taxpayers. The Florida Department of Revenue confirmed to StateScoop that the exposed data included 417 business tax registrations containing people’s confidential information.
The researcher, Kamran Mohsin, told StateScoop that he discovered the vulnerability while assisting a friend who was starting an online store and registered for a business license in Florida. Mohsin said he discovered an access-control flaw in the website that makes it possible to access individual filings without authorization. This type of vulnerability is often known as an insecure direct object reference, or IDOR, which occurs when data is kept on a server with weak or non-existent security protocols.
Mohsin’s discovery was first reported by TechCrunch.
Screenshots shared by Mohsin show tax filers’ names, home and business addresses, tax identification numbers and other personal details.
In an emailed statement, the Florida Department of Revenue said it verified the vulnerability after being contacted by Mohsin and immediately removed the tax-registration application from external access. The vulnerability was corrected within 24 hours, and two external vendors confirmed the fix, according to state officials.
The agency also said it contacted the 417 taxpayers whose data was confirmed to have been exposed within two days of learning about the exposure and has offered those individuals a year of free credit monitoring. There’s no evidence any of the data has been exploited by malicious actors.
Mohsin told StateScoop he never heard back from Florida officials. State officials have not always taken kindly to discoveries of vulnerabilities in government websites: Last year, Missouri Gov. Mike Parson threatened to jail a newspaper reporter who found a flaw in a website that exposed teachers’ personal information, though prosecutors declined to file any charges.