Security Advisory - MyTaxexpress 2003

From: Nathan Wosnack (nathan@hypervivid.com)
Date: 03/25/03

  • Next message: admin@gaylenandmargie.com: "Re: PHPNuke viewpage.php allows Remote File retrieving"
    Date: 25 Mar 2003 19:46:33 -0000
    From: Nathan Wosnack <nathan@hypervivid.com>
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is)

    Original Advisory: Tuesday, March 25, 2003

    Severity: Medium - High

    Description: Unencrypted tax-return information saved in C:\My Documents
    by default can pose security risks, and may disclose financial/personal
    information to the Internet via peer-to-peer (P2P) networks.

    Version: Tested on the version released March 20, 2003

    Authors: David Coomber and Nathan Wosnack were involved in the research
    and development.

    Tax Software Background:

    MyTaxexpress 2003 is a CCRA (Canada Customs and Revenue Agency) certified
    GUI application developed by ExpressInfo Software that allows Canadian tax
    payers located in Alberta, British Columbia, and Ontario to work through
    their tax returns and file them electronically using a tax filing system
    known as NETFILE.

    Description of the problem:

    If you decide to save your return, your personal information is saved to
    your computer unencrypted in the directory C:\My Documents by default with
    a *.ret extension. The problem with this is two-fold; if someone is able
    to access this file, then all they would need to do is open it with a text
    editor such as Notepad to reveal personal information. The personal
    information disclosed includes your full name, your address, your social
    insurance number, your earnings, spending claims, where you work, etc.
    Saving your tax files in C:\My Documents makes it easier to get a hold of
    since many Microsoft Windows users share C:\My Documents when using P2P
    programs without understanding the consequences. Also, Many P2P file-
    sharing networks have been known to share the C:\My Documents folder. One
    such example of a file sharing program that does this is a program
    called 'Kazaa' (with K++ extensions). With a simple query on Kazaa,
    looking up file names such as 'taxes 2003.ret', 'taxes.ret', one could
    gather large amounts of data on unsuspecting users that have C:\My
    Documents shared.

    Recommendations:

    Due to the fact that MyTaxexpress does not encrypt your tax return when
    saved to disk, and stores it in C:\My Documents by default, the risk of
    having personal financial information stolen and used for illegal purposes
    is high. In order to protect this financial information from disclosure
    and misuse, we recommend saving your returns in a different directory and
    encrypting your returns (and all other personal information) with a strong
    encryption program such as Blowfish for Windows(1) or similar.

    Related Links:

    http://www.pivx.com/ - Related advisories focusing on United States tax
    software.

    http://www.hypervivid.com/ - Information, Telecom and Wireless Security
    Consulting Firm.

    Vendor Contact:

    http://www.mytaxexpress.com/ - ExpressInfo software.

    Have any questions or comments?
    e-mail: advisories@hypervivid.com

    Copyright 2003, Hypervivid Solutions Incorporated. All Rights Reserved.
    (1) Note: We are not affiliated with any products or services mentioned on
    this page, we provide the links solely as a convenience to the reader.


  • Next message: admin@gaylenandmargie.com: "Re: PHPNuke viewpage.php allows Remote File retrieving"

    Relevant Pages

    • Re: Security Advisory - MyTaxexpress 2003
      ... > Tax Software Background: ... > editor such as Notepad to reveal personal information. ... In order to protect this financial information from disclosure ... > encryption program such as Blowfish for Windowsor similar. ...
      (Bugtraq)
    • Re: Bees, anyone?
      ... personal information but corporations can. ... Tax agencies that perform taxes ... Read the fine print on those tax software programs. ... Nad, you are an amazing mix of completely unfounded idiocy and partly understood security. ...
      (rec.gardens)