Florida Data Breach: IDOR Vulnerability Exposes Tax Filers Personal Information
An IDOR flaw led to the exposure of sensitive bank details of hundreds of Florida taxpayers, causing a significant Florida data breach and highlighting critical vulnerabilities in data security protocols.
Jaydev Ahire
5 min read
The Social Security and bank account data of hundreds of taxpayers were disclosed due to a security vulnerability in Florida's Department of Revenue website.
Understanding the Florida Data Breach: A Detailed Analysis
Security researcher Kamran Mohsin discovered a security vulnerability on Florida's Department of Revenue's website. The first information about the incident was issued in a report published by TechCrunch on Dec 2nd, 2022. The report said that the vulnerability exposed sensitive data belonging to hundreds of taxpayers, such as bank account numbers and social security cards.
How the data breach happened?
The security researcher who discovered the vulnerability tried to manipulate the parameters in the URL that contains the taxpayers' application number. As these application numbers were sequential, the researcher could enumerate taxpayer information by incrementing the application number by a single digit.
For example: imagine the url is /applications/{application-id}. In this case {application-id} is sequential meaning they could be 200, 201, 202 and so on. The attacker can access the application details of any tax payer by simply incrementing the {application-id}. Attacker is able to access the information because the url doesn’t have a proper authorization mechanism set.
The vulnerability is known as Insecure Object Direct Reference (IDOR), a vulnerability type that allows unauthorized access to the user's sensitive data by manipulating user/object IDs.
By exploiting this vulnerability, the researcher discovered over 713,000 applications in the Department's system. He further claimed that on October 27th, 2022, he alerted the Florida Department of Revenue, and the flaw was fixed within four days. Despite the bug being resolved, he said he had not been contacted by the Department since.
What ‘s the impact of Florida Data Breach?
Anyone who logged in to the state's business tax registration website could access, modify, and delete the personal data of business owners whose information is on file with the state's tax authority.
The vulnerability allowed the external individual to view registration data submitted by taxpayers, including 417 registrations that contained confidential information. Within a two-day timeframe, the Department attempted to contact each affected business by phone and contacted all affected taxpayers by phone or in writing within four days. The Department has also offered each affected taxpayer one year of complimentary credit monitoring.
Source: Techcrunch
Lessons learned:
Implement robust auth - Identify all private objects and resources in your database. Ensure all those resources are checked for correct authentication and authorization before returning the result.
Code review - Ensure authorization is implemented correctly when a new page or API is introduced. In case an API is modified, check if should need authorization.
Business Logic Security Testing - All authorized pages and APIs must go through a security check before a release. One of the business logic test is IDOR (now categorised as BOLA). It is important to check for all OWASP Top 10 vulns before every release. Manual process is time consuming - an automated solution, such as Akto, is the best resolution here. Deep business cases still have to be tested manually.
Keep reading
API Security
8 minutes
Security Information and Event Management (SIEM)
SIEM aggregates and analyzes security data across an organization to detect, monitor, and respond to potential threats in real time.
News
8 mins
Akto Recognized as a High Performer in G2’s Fall 2024 Reports for API Security and DAST
We’re proud to announce that Akto has been named a High Performer in both the API Security and Dynamic Application Security Testing (DAST) in G2’s Fall 2024 reports.
Product updates
5 minutes
Introducing Akto Code: Automated API Discovery from source Code
Akto Code is the new addition to Akto's API Discovery suite, complementing our existing capabilities for traffic source analysis in production and lower environments.