BugTraq
Back to list
|
Post reply
Security Advisory - MyTaxexpress 2003
Mar 25 2003 07:46PM
Nathan Wosnack (nathan hypervivid com)
(1 replies)
Original Advisory: Tuesday, March 25, 2003
Severity: Medium - High
Description: Unencrypted tax-return information saved in C:\My Documents
by default can pose security risks, and may disclose financial/personal
information to the Internet via peer-to-peer (P2P) networks.
Version: Tested on the version released March 20, 2003
Authors: David Coomber and Nathan Wosnack were involved in the research
and development.
Tax Software Background:
MyTaxexpress 2003 is a CCRA (Canada Customs and Revenue Agency) certified
GUI application developed by ExpressInfo Software that allows Canadian tax
payers located in Alberta, British Columbia, and Ontario to work through
their tax returns and file them electronically using a tax filing system
known as NETFILE.
Description of the problem:
If you decide to save your return, your personal information is saved to
your computer unencrypted in the directory C:\My Documents by default with
a *.ret extension. The problem with this is two-fold; if someone is able
to access this file, then all they would need to do is open it with a text
editor such as Notepad to reveal personal information. The personal
information disclosed includes your full name, your address, your social
insurance number, your earnings, spending claims, where you work, etc.
Saving your tax files in C:\My Documents makes it easier to get a hold of
since many Microsoft Windows users share C:\My Documents when using P2P
programs without understanding the consequences. Also, Many P2P file-
sharing networks have been known to share the C:\My Documents folder. One
such example of a file sharing program that does this is a program
called 'Kazaa' (with K++ extensions). With a simple query on Kazaa,
looking up file names such as 'taxes 2003.ret', 'taxes.ret', one could
gather large amounts of data on unsuspecting users that have C:\My
Documents shared.
Recommendations:
Due to the fact that MyTaxexpress does not encrypt your tax return when
saved to disk, and stores it in C:\My Documents by default, the risk of
having personal financial information stolen and used for illegal purposes
is high. In order to protect this financial information from disclosure
and misuse, we recommend saving your returns in a different directory and
encrypting your returns (and all other personal information) with a strong
encryption program such as Blowfish for Windows(1) or similar.
Related Links:
http://www.pivx.com/ - Related advisories focusing on United States tax
software.
http://www.hypervivid.com/ - Information, Telecom and Wireless Security
Consulting Firm.
Vendor Contact:
http://www.mytaxexpress.com/ - ExpressInfo software.
Have any questions or comments?
e-mail: advisories (at) hypervivid (dot) com [email concealed]
Copyright © 2003, Hypervivid Solutions Incorporated. All Rights Reserved.
(1) Note: We are not affiliated with any products or services mentioned on
this page, we provide the links solely as a convenience to the reader.
[ reply ]
Re: Security Advisory - MyTaxexpress 2003
Mar 27 2003 03:40PM
HCTITS Security Division (security humancentrictech com)
Privacy Statement
Copyright 2010, SecurityFocus
Original Advisory: Tuesday, March 25, 2003
Severity: Medium - High
Description: Unencrypted tax-return information saved in C:\My Documents
by default can pose security risks, and may disclose financial/personal
information to the Internet via peer-to-peer (P2P) networks.
Version: Tested on the version released March 20, 2003
Authors: David Coomber and Nathan Wosnack were involved in the research
and development.
Tax Software Background:
MyTaxexpress 2003 is a CCRA (Canada Customs and Revenue Agency) certified
GUI application developed by ExpressInfo Software that allows Canadian tax
payers located in Alberta, British Columbia, and Ontario to work through
their tax returns and file them electronically using a tax filing system
known as NETFILE.
Description of the problem:
If you decide to save your return, your personal information is saved to
your computer unencrypted in the directory C:\My Documents by default with
a *.ret extension. The problem with this is two-fold; if someone is able
to access this file, then all they would need to do is open it with a text
editor such as Notepad to reveal personal information. The personal
information disclosed includes your full name, your address, your social
insurance number, your earnings, spending claims, where you work, etc.
Saving your tax files in C:\My Documents makes it easier to get a hold of
since many Microsoft Windows users share C:\My Documents when using P2P
programs without understanding the consequences. Also, Many P2P file-
sharing networks have been known to share the C:\My Documents folder. One
such example of a file sharing program that does this is a program
called 'Kazaa' (with K++ extensions). With a simple query on Kazaa,
looking up file names such as 'taxes 2003.ret', 'taxes.ret', one could
gather large amounts of data on unsuspecting users that have C:\My
Documents shared.
Recommendations:
Due to the fact that MyTaxexpress does not encrypt your tax return when
saved to disk, and stores it in C:\My Documents by default, the risk of
having personal financial information stolen and used for illegal purposes
is high. In order to protect this financial information from disclosure
and misuse, we recommend saving your returns in a different directory and
encrypting your returns (and all other personal information) with a strong
encryption program such as Blowfish for Windows(1) or similar.
Related Links:
http://www.pivx.com/ - Related advisories focusing on United States tax
software.
http://www.hypervivid.com/ - Information, Telecom and Wireless Security
Consulting Firm.
Vendor Contact:
http://www.mytaxexpress.com/ - ExpressInfo software.
Have any questions or comments?
e-mail: advisories (at) hypervivid (dot) com [email concealed]
Copyright © 2003, Hypervivid Solutions Incorporated. All Rights Reserved.
(1) Note: We are not affiliated with any products or services mentioned on
this page, we provide the links solely as a convenience to the reader.
[ reply ]