The security researcher concluded that by exploiting either flaw the attackers could view or modify tax records or harvest key details from British citizens. Thus, after a short period of experimentation, he found that it was possible to use the HMRC site as a “forwarding service” and send a victim to any site an attacker wanted. This type of bug is known as an open redirect vulnerability and is a common weakness found on lots of different sites.
The second security issue was potentially more damaging as, if exploited, it could give an attacker control over a victim’s information, potentially letting them modify it. The code vulnerable to this serious bug was found in a website script used to digitally fingerprint users for fraud protection.
In response, the HMRCs online tax service said it had addressed the problems and was looking at improving ways for people to get in touch. Furthermore, HMRC is working with the National Cyber Security Centre (NCSC) to ensure that there is a single route for reporting security vulnerabilities to government.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now