© 2023 CyberNews - Latest tech news,
product reviews, and analyses.

If you purchase via links on our site, we may receive affiliate commissions.

Florida Department of Revenue exposed user data, including Social Security numbers


Security researcher Kamran Mohsin discovered a flaw in the Florida Department of Revenue system, which exposed over 700,000 customers, including their Social Security numbers, physical addresses, and bank account details, among other sensitive data.

The leak, according to Mohsin, occurred due to a critical insecure direct object reference (IDOR) vulnerability enabling an unauthorized party to view, change, and even delete the personal information of business owners.

IDOR is a common access control vulnerability where unvalidated users gain access to confidential information or operations.

Mohsin was able to confirm over 713,000 user accounts/applications with the Florida Department of Revenue.

"It should be noted that the application ids are created in an incremental manner, so based on the latest application ID, I confirmed that there are 713,000+ user accounts/applications registered with the Florida Department of Revenue. I would emphasize again, nearly a million user accounts are exposed to crucial data leakage that could be leveraged by the attackers and therefore could be used in instrumenting targeted attacks," Mohsin told Cybernews in an email.

According to screenshots shared with Cybernews, Mohsin reached out to the Florida Department of Revenue on October 27. The issue is now fixed.

Because of the bug, the Florida Department of Revenue exposed sensitive customer information: names, emails, physical and mailing addresses, business names with other associated critical information, VISA, employee identification numbers, Social Security numbers, and bank account details.

As proof, Mohsin shared a couple of screenshots of the flaw with Cybernews, where user names, emails, physical addresses, phone numbers, and Federal Employer ID Numbers (FEIN) were exposed to unauthorized parties.

The screenshots indicate that a threat actor could edit applications and delete personal data by leveraging the bug. The applications that were already submitted could not be edited but exposed user data, nevertheless.

We’ve reached out to the Florida Department of Revenue for more details and will update the article upon receiving their response. The agency quoted by other media apparently confirmed the issue, said it was fixed within a couple of days following the disclosure, and all the affected filers were contacted.

Florida Department of Revenue confirmed that it had received a report concerning a vulnerability on the Department’s Business Tax Registration Application.

“The Department verified the vulnerability and immediately removed the application from external access. The Department corrected the vulnerability in the registration application within 24 hours, and two external data security companies have verified that the application is now secure,” it said.

According to the Florida Department of Revenue, the vulnerability allowed the external individual to view registration data submitted by taxpayers, including 417 registrations that contained confidential information.

“Within a two-day timeframe, the Department attempted to contact each affected business by phone and had contacted all affected taxpayers by phone or in writing within four days. The Department has also offered one year of complimentary credit monitoring to each affected taxpayer,” it said.

None of the 417 affected taxpayers have reported signs of information exploitation.


More from Cybernews:

Meta’s data scraping: against the rules yet impossible to stop?

Gang’s number is up: police bust spells end for SIM cloners

Weekly recap: are you eligible for compensation from Facebook?

Season’s greetings from a cyber analyst: we see more than trillion suspect activities daily

Apple users targeted in email attack amid Black Friday sales

Subscribe to our newsletter



Leave a Reply

Your email address will not be published. Required fields are marked