A researcher who spent 57 days trying to report a bug on HMRC’s online tax service site has said that the UK tax office must improve the way it handles website security problems – adding that finding the correct contact to report the issue to was even more challenging than actually finding the bug in the site.
Speaking with the BBC, the researcher and security expert simply known as ‘Zemnex’ found two separate bugs within the site, which could have easily have attackers view or modify tax records or collect key details from UK taxpayers.
“I spent days reaching out to half a dozen different Government social media accounts attempting to find where the right place to go was and got nothing meaningful in response,” he told the BBC.
He added that eventually the UK’s National Cyber Security Centre (NCSC) was able to help get the security problems solved.
Zemnex realised that the HRMC site was at risk as he checking his taxes. He quickly realised that it was possible to use the HRMC site as a ‘’forwarding service’, which could be utilised to coax a victim into revealing financial information, credentials and usernames and passwords. He then discovered a second bug that could potentially give an attacker control over a victim’s information.
Although the bugs were fairly easy to find, Zemnex then realised that trying to contact the right person to report the security issues wouldn’t be quite as easy.
“I understand the significant difficulties involved in these programmes,” he told the BBC. “If a programme were opened to the public to disclose issues without very significant and robust preparation, it would quickly become totally overwhelmed by the volume of reports, both valid and invalid.”
In a statement, HRMC said it was working with the NCSC regarding its security procedures.