ATO's Windows bias reveals possible hole

ATO's Windows bias reveals possible hole

Summary: The denizens of global security mailing list Bugtraq have started discussing whether the Australian Taxation Office's (ATO) e-tax 2010 software, which is currently being used by millions of Australians to submit their tax returns, has a security hole in it due to the way it deals with remote Secure Socket Layer (SSL) certificates.

SHARE:

update The denizens of global security mailing list Bugtraq have started discussing whether the Australian Taxation Office's (ATO) e-tax 2010 software, which is currently being used by millions of Australians to submit their tax returns, has a security hole in it due to the way it deals with remote Secure Socket Layer (SSL) certificates.

The breaches were unintentionally discovered when a security expert, known only as Dave B, became fed up with the ATO's restrictions on the use of alternative operating systems other than Windows. He tried to do a workaround so he didn't have to use Microsoft's platform.

At first Dave thought that the software did not check the SSL certificate of involved domains and would work if the certificate came from a valid certificate authority. Other tests were made and he found that a "freshly generated" self-signed certificate would be accepted by the software: the SSL certificate does not need to be signed by a certificate authority.

E-tax communicates via the unencrypted Hypertext Transfer Protocol (http) rather than Hypertext Transfer Protocol Secure (https) if told to by, for example, using URL manipulations such as the Apache mod_rewrite module. E-tax 2010 sends the details of the tax request in a Simple Object Access Protocol (SOAP) request.

"We don't provide comment on security-related matters; however, we can assure taxpayers that income tax details submitted by e-tax software is secure," the ATO said in response to queries on the matter.

Securus Global managing director Drazen Drazic said that he believed the risks were clear and that the whole process was open to incursions such as man-in-the-middle (MITM) attacks, where an attacker could pull information from the stream between the ATO and the e-tax end user.

"The risks seem to be purely on the client side of things in regards to this advisory," he said. "People need to be careful when accessing. How it's working based upon the advisory means people could be directed to anywhere with personal information being sent to unauthorised parties. Given the type of information, not a good thing."

For instance, if an individual has an SSL certificate for another website that certificate could then be used to masquerade as the ATO's tax server. The ATO was contacted last Thursday for comment but has not yet responded to the issue at the time of publication.

Last week Dave logged his discovery on Bugtraq in a series of logs. Each revealed that the security breach was much worse than previously thought. The first bug logged can be viewed here, subsequent bugs logged can be located here and here.

Updated at 5:30pm, 13 September 2010: included comment from ATO.

Topics: Government, Government AU, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • What's this got to do with Windows? Poorly written/designed software can be written on any platform.

    That's like saying it's Apple's fault for insecure Adobe software, so using Apple's OS is dangerous.
    Pachanga-4184c
  • It's got nothing to do with Windows, more to do with the ATO's bias towards Windows. If the ATO had of released Linux and OSX software this bug might not have been found. It was in the effort to port this software to a new OS that this bug was found.

    I bet the e-tax software is far from secure. I'm sure if hackers wanted to they could quite easily intercept your tax details. This is probably not something security researcher would want to bring to light though due to the sensitive nature of it (and maybe, as I would, fear of retribution from the ATO itself, the next 20 years of my life being audited sound like enough discouragement to me to not disclose security issues).
    m00nh34d
  • Regardless, Windows is not to blame for ATO's poorly written software. E-Tax is an outdated software that has been maintained by ATO. There are bound to be issues with it. This is nothing to do with the operating system itself.

    Besides, there is nothing wrong with ATO bias towards Windows software. The majority of its users are using Windows software. Almost all accountants use Windows software. ATO is just catering to the majority.
    Azizi Khan