So although they are alright findings (arbitrary url redirect and dom-ish xss) the main take away from the article is that it is WAY too hard to contact anyone from any form of CERT in the UK whatsoever.
I've tried myself to report vulnerabilities[1] and it's nearly impossible to find even the most generic of contact emails. I usually end up passing the info on to friends who do more gov work than myself. There REALLY needs to be a generic cert/[email protected] email somewhere.
[1] not going out of my way to find anything, but in the past if i receive a (usually HMRC related) phishing email from a .gov domain, i'll try and dig up a CERT email, or JANET if it is university related.
while, yes I did want to make out in the second half just how difficult it was to get in contact with a CERT, it's sad to hear the other half put down to 'alright findings'...
Sure, the first issue that made me get into tax bug hunting was a run-of-the-mill open redirect, but the second issue is an interesting DOMXSS in an obfuscated vendor codebase with a WAF bypass alongside some technical commentary I worked really hard on that allows you to read and write financial data. It's sad to see that equally significant portion of my work dismissed as 'alright findings'.
>We've already started some experiments in this area with pioneering UK SME Netcraft. They're off looking for phishing hosted in the UK, webinject malware hosted in the UK and phishing anywhere in the world that targets a UK government brand. When they find it, they ask the hosting provider to take down the offending site. It's surprisingly effective and again generates data we can use. We'll definitely do more in this space.
I suspect you can forward these to [email protected] to get the upstream providers automatically notified and the site monitored until it's down.
It's even worse when you actually have an issue with tax repayments due.
I don't have a UK passport and they had moved me to the passport authentication on the website. Literally had contacted them a good 5 times; each time waiting for at least 3 weeks for the reply, contstantly getting a pre-set response.
Ended up asking my accountant to tell me if my balance is not in check.
Can't say anything of the quality of the service itself though - that seems to be OK when it works. But their support is horrendous.
In Portugal you fill the taxes in a java application that run in a browser after accepting an invalid security certificate and I always have the feeling that the app as way more access to my computer than it should (saving files is done in a custom interface, not native windows). I'm filled with deep profound sadness and conspiracy theories every single time I have to login to that system.
It is also presented in a web page with a scrollbar and an applet with it's own scrollbars, so it's always a mystery where you'll end up after a mouse scroll.
Brazil is not much different. And to make matters worse, almost every Brazilian government agency that offers online services do so using their "self" signed certificates. Now imagine how hard it's to educate people not to click on dodgy websites and certificates, when the whole government does exactly the opposite.
I say self signed certificates because it's been 10 years that Brazil nic is trying to get its CA approved.
Oh boy, I used to work at GDS and I met some people from HMRC about their Childcare voucher system thingy. And it used similar techniques to this, I raised it directly with them but they didn't think it was an issue, and my comments were drowned out by a talking shop of technocratic circle jerking.
I can't imagine the motives anyone would want to try and volunteer information about vulnerabilities to the UK gov. Maybe I'm naive, but there's so much hostility towards whitehat researchers that I'd assume Zemnmez is now on some "list" and being monitored/watched/flagged.
The reward is not having someone put you on the hook for unlimited fines by, for example, filing taxes for you with a credit card number as you annual income.
Well, then perhaps it's time to start talk of selling vulnerabilities on the Dark Web to compensate for our time?
It may be brutish, bad, evil, or whatever. Id report willingly for open source or software Ive bought for bug reports or vuln reports. But if I find a serious security issue, I expect to be compensated. And if an org makes it impossible to even contact them, I'll go to their, <ahem> competitors. They do pay.
Perhaps organizations need to be reminded of this.
I once got a parking ticket, and I was trying to figure out how to pay it online. I found a site for the city that I was supposed to put in my license plate number and my date of birth to look up a parking ticket in order to pay it online. I realized that the car was registered to one of my parents, honestly I wasn't sure I had their birthdays exactly memorized, and I couldn't contact both of them at that very moment, so I tried guessing a few dates for the birthday field. I got frustrated, and ... well I've participated in a number of security CTF challenges / puzzle games, where SQL injection is a common technique you're expected to do, and step 1 of many CTF challenges is to literally put the following characters into each text field you find:
' OR 'A'='A
It's like the SQL-injection version of "open sesame". It's generic, fitting a common coding mistake, not tailored to any specific site. It's a force of habit to use while working on CTF challenges ... Desperate to solve my problem of finding my own parking ticket, I reached to that knowledge without really thinking about it and used it. It worked, and the page showed me hundreds of parking tickets with people's full names, license plate and driver license IDs, addresses, and ticket amounts and descriptions. (A glance showed a few people were racking up thousands of dollars of parking tickets, seriously wtf?) I worried about what I did and closed the site. (Well first I scrolled through the list to see if my own parking ticket was there. It wasn't. Turns out where my parking ticket was given was actually in a different city; I was checking the wrong site to begin with.)
I thought about reporting it, but given that I already exploited it and saw private information, I thought twice. I've reported security issues at sites before, but never at a government site or involving me having seen people's private information. I got panicky and just closed the site. I don't owe them the report and the risk it puts me at. It's a nice thing I do for people who invite it or when the risk is low, but somehow I think legal actions are more likely from the site for a local court. If anyone owes anyone, it's the developers for risking people's information so carelessly and for putting me into this type of bind, but somehow I think if I reported this I think I'd be the only one at risk of being treated as a criminal.
I'm not fully sure why I felt compelled to think this was all relevant to this thread. Maybe just to illustrate some of the stress that comes from the vulnerability-reporting side of things. If you want secure systems and for people to report issues as they see them, then sometimes you need to invite the reporters. The difficulty described in the article of even reporting the issue makes me think I'm probably very far from alone in avoiding reporting this type of thing.
I don't think this is a huge step up over a standard phishing attack. A savvy user would notice that the redirected URL doesn't have an EV cert (it might not even have SSL at all). They would probably check the email address the link came from as well.
A non-savvy user would not check the email and would click any link they're sent, redirect, ssl or not. So you might as well send them a standard phishing link.
This means you're targeting users inbetween these two classes, so maybe it's effective for a very specific attack. And if someone is that determined they'll get in no matter what.
Plus 2fa is there on HMRC, if they request a fresh code before any major changes are made it would make it very difficult to do any serious damage.
This is a perfect phishing attack (only short of being able to send a valid email from @gov.uk). The user is always on .gov.uk and it always has a valid EV certificate.
The redirected URL in this case is another vulnerability on www.tax.service.gov.uk, so there'd be no tells from the domain or SSL configuration. If the email was well-crafted (spoofed hmrc.gov.uk, plausible contents etc.), it'd be very difficult to notice anything was amiss (unless you spot the obfuscated javascript in the URL AND recognise that it shouldn't be there).
[+] [-] morrbo|8 years ago|reply
I've tried myself to report vulnerabilities[1] and it's nearly impossible to find even the most generic of contact emails. I usually end up passing the info on to friends who do more gov work than myself. There REALLY needs to be a generic cert/[email protected] email somewhere.
[1] not going out of my way to find anything, but in the past if i receive a (usually HMRC related) phishing email from a .gov domain, i'll try and dig up a CERT email, or JANET if it is university related.
[+] [-] zemnmez|8 years ago|reply
Sure, the first issue that made me get into tax bug hunting was a run-of-the-mill open redirect, but the second issue is an interesting DOMXSS in an obfuscated vendor codebase with a WAF bypass alongside some technical commentary I worked really hard on that allows you to read and write financial data. It's sad to see that equally significant portion of my work dismissed as 'alright findings'.
[+] [-] lol768|8 years ago|reply
https://www.ncsc.gov.uk/blog-post/active-cyber-defence-tackl...
>We've already started some experiments in this area with pioneering UK SME Netcraft. They're off looking for phishing hosted in the UK, webinject malware hosted in the UK and phishing anywhere in the world that targets a UK government brand. When they find it, they ask the hosting provider to take down the offending site. It's surprisingly effective and again generates data we can use. We'll definitely do more in this space.
I suspect you can forward these to [email protected] to get the upstream providers automatically notified and the site monitored until it's down.
[+] [-] heavenlyblue|8 years ago|reply
I don't have a UK passport and they had moved me to the passport authentication on the website. Literally had contacted them a good 5 times; each time waiting for at least 3 weeks for the reply, contstantly getting a pre-set response.
Ended up asking my accountant to tell me if my balance is not in check.
Can't say anything of the quality of the service itself though - that seems to be OK when it works. But their support is horrendous.
[+] [-] lol768|8 years ago|reply
It's a neat write-up - the security folks at Twitch do some great work and this is no exception.
Seems like HMRC really need to work on a responsible disclosure system of some sort, I'm surprised that there are no security@ emails.
I'm also left wondering if Content-Security-Policy could have helped with that XSS.
[+] [-] fimdomeio|8 years ago|reply
In Portugal you fill the taxes in a java application that run in a browser after accepting an invalid security certificate and I always have the feeling that the app as way more access to my computer than it should (saving files is done in a custom interface, not native windows). I'm filled with deep profound sadness and conspiracy theories every single time I have to login to that system.
It is also presented in a web page with a scrollbar and an applet with it's own scrollbars, so it's always a mystery where you'll end up after a mouse scroll.
[+] [-] msantos|8 years ago|reply
I say self signed certificates because it's been 10 years that Brazil nic is trying to get its CA approved.
https://bugzilla.mozilla.org/show_bug.cgi?id=438825
[+] [-] kn0where|8 years ago|reply
[+] [-] throwawaythrow1|8 years ago|reply
[+] [-] TazeTSchnitzel|8 years ago|reply
[+] [-] chrisacky|8 years ago|reply
What's the reward/risk?
[+] [-] noir_lord|8 years ago|reply
I just assume they are monitoring everything I do online anyway.
[+] [-] ben_w|8 years ago|reply
[+] [-] neoh|8 years ago|reply
[+] [-] lol768|8 years ago|reply
It was an XSS, which has been considered high priority by most people for a while: https://bugcrowd.com/vulnerability-rating-taxonomy
As he mentioned in the write-up I linked, you could use this for both retrieving data and performing actions.
[+] [-] occultist_throw|8 years ago|reply
It may be brutish, bad, evil, or whatever. Id report willingly for open source or software Ive bought for bug reports or vuln reports. But if I find a serious security issue, I expect to be compensated. And if an org makes it impossible to even contact them, I'll go to their, <ahem> competitors. They do pay.
Perhaps organizations need to be reminded of this.
[+] [-] AgentME|8 years ago|reply
I thought about reporting it, but given that I already exploited it and saw private information, I thought twice. I've reported security issues at sites before, but never at a government site or involving me having seen people's private information. I got panicky and just closed the site. I don't owe them the report and the risk it puts me at. It's a nice thing I do for people who invite it or when the risk is low, but somehow I think legal actions are more likely from the site for a local court. If anyone owes anyone, it's the developers for risking people's information so carelessly and for putting me into this type of bind, but somehow I think if I reported this I think I'd be the only one at risk of being treated as a criminal.
I'm not fully sure why I felt compelled to think this was all relevant to this thread. Maybe just to illustrate some of the stress that comes from the vulnerability-reporting side of things. If you want secure systems and for people to report issues as they see them, then sometimes you need to invite the reporters. The difficulty described in the article of even reporting the issue makes me think I'm probably very far from alone in avoiding reporting this type of thing.
[+] [-] megawatthours|8 years ago|reply
[+] [-] kevin_thibedeau|8 years ago|reply
[+] [-] pbhjpbhj|8 years ago|reply
[+] [-] albertgoeswoof|8 years ago|reply
A non-savvy user would not check the email and would click any link they're sent, redirect, ssl or not. So you might as well send them a standard phishing link.
This means you're targeting users inbetween these two classes, so maybe it's effective for a very specific attack. And if someone is that determined they'll get in no matter what.
Plus 2fa is there on HMRC, if they request a fresh code before any major changes are made it would make it very difficult to do any serious damage.
[+] [-] IshKebab|8 years ago|reply
This is a perfect phishing attack (only short of being able to send a valid email from @gov.uk). The user is always on .gov.uk and it always has a valid EV certificate.
[+] [-] stordoff|8 years ago|reply