Both of the bugs could have allowed an attacker to access or modify a user’s tax details using specially crafted malicious links
A security researcher who found two serious flaws in HMRC’s website said it took him two months to report the bugs and confirm they had been fixed.
He criticised HMRC and the National Cyber Security Centre (NCSC) for providing no way for experts to ensure issues are attended to.
“There comes a point at which even doing the right thing seems to have been the wrong choice,” wrote the researcher, under the handle Zemnmez, in a blog post.
HMRC said it is working on improving contact methods for those wishing to report issues. Both flaws have now been addressed.
Both issues could have allowed attackers to access and modify users’ tax accounts.
Zemnmez spotted the first vulnerability when he was using the website to check his tax details. He saw that a redirection method used during authentication could be abused to send users to a malicious website.
An attacker could, for instance, have created an HMRC web address with the malicious redirect and sent it to a user in an authentic-looking email. When the user entered their account login details, they would be harvested by the attacker.
“We can construct a link that goes to HMRC, passes login and then sends the victim to our own carefully crafted site that looks like HMRC but is instead us,” he wrote, adding that the issue is a common one.
Zemnmez looked further into the HMRC site and found another, more serious bug that used XSS code to “effectively hijack the tax accounts of HMRC online users”.
Ironically, the flawed code, provided by a third party, was used as part of the site’s anti-fraud measures.
He said the second bug would have been more difficult to exploit than the first, but was potentially more serious as it would have allowed someone to “arbitrarily modify people’s tax details after making them click a link”.
The first bug was fixed a few days after Zemnmez contacted HMRC’s press office in April, but he had less luck getting in touch with someone about the second, more complex flaw.
In the end he was only able to contact NCSC via a friend who knew someone in the organisation. He received a reply from NCSC in June and the second issue was fixed a few days later.
HMRC said it was working on improving reporting processes for security issues.
“HMRC is working with the NCSC to ensure that there is a single route for reporting security vulnerabilities to government,” HMRC said in a statement. “HMRC is also working to ensure that our internal processes are better streamlined to ensure that those reporting vulnerabilities are contacted in good time.”
The office said it had addressed the issues involved and undertakes regular security testing of its systems.
Zemnmez said that while the reporting process was arduous, he feels researchers can’t limit their attention to commercial organisations with responsive security teams.
“I’m happy to be working security in a time where we have bug bounties,” he wrote. “But the places where security help is needed most are the places that don’t have these security investments.”
How well do you know the cloud? Try our quiz!