lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20030325194633.4811.qmail@www.securityfocus.com>
Date: 25 Mar 2003 19:46:33 -0000
From: Nathan Wosnack <nathan@...ervivid.com>
To: bugtraq@...urityfocus.com
Subject: Security Advisory - MyTaxexpress 2003




Original Advisory: Tuesday, March 25, 2003

Severity: Medium - High

Description: Unencrypted tax-return information saved in C:\My Documents 
by default can pose security risks, and may disclose financial/personal 
information to the Internet via peer-to-peer (P2P) networks.

Version: Tested on the version released March 20, 2003

Authors: David Coomber and Nathan Wosnack were involved in the research 
and development.

Tax Software Background:

MyTaxexpress 2003 is a CCRA (Canada Customs and Revenue Agency) certified 
GUI application developed by ExpressInfo Software that allows Canadian tax 
payers located in Alberta, British Columbia, and Ontario to work through 
their tax returns and file them electronically using a tax filing system 
known as NETFILE.

Description of the problem:

If you decide to save your return, your personal information is saved to 
your computer unencrypted in the directory C:\My Documents by default with 
a *.ret extension. The problem with this is two-fold; if someone is able 
to access this file, then all they would need to do is open it with a text 
editor such as Notepad to reveal personal information. The personal 
information disclosed includes your full name, your address, your social 
insurance number, your earnings, spending claims, where you work, etc. 
Saving your tax files in C:\My Documents makes it easier to get a hold of 
since many Microsoft Windows users share C:\My Documents when using P2P 
programs without understanding the consequences. Also, Many P2P file-
sharing networks have been known to share the C:\My Documents folder. One 
such example of a file sharing program that does this is a program 
called 'Kazaa' (with K++ extensions). With a simple query on Kazaa, 
looking up file names such as 'taxes 2003.ret', 'taxes.ret', one could 
gather large amounts of data on unsuspecting users that have C:\My 
Documents shared.

Recommendations:

Due to the fact that MyTaxexpress does not encrypt your tax return when 
saved to disk, and stores it in C:\My Documents by default, the risk of 
having personal financial information stolen and used for illegal purposes 
is high. In order to protect this financial information from disclosure 
and misuse, we recommend saving your returns in a different directory and 
encrypting your returns (and all other personal information) with a strong 
encryption program such as Blowfish for Windows(1) or similar.

Related Links:

http://www.pivx.com/ - Related advisories focusing on United States tax 
software.

http://www.hypervivid.com/ - Information, Telecom and Wireless Security 
Consulting Firm.

Vendor Contact:

http://www.mytaxexpress.com/ - ExpressInfo software.

Have any questions or comments?
e-mail: advisories@...ervivid.com

Copyright © 2003, Hypervivid Solutions Incorporated. All Rights Reserved. 
(1) Note: We are not affiliated with any products or services mentioned on 
this page, we provide the links solely as a convenience to the reader.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ