Security Company-PivX, Releases TurboTax and TaxCut Information Disclosure Vulnerability, Potential Identity Theft

Newport Beach, CA, March 12th, 2003 : PivX Solutions, a leader in Network Security is pleased to announce the release of two thronged vulnerability advisories discovered by Mike Kristovich, a security researcher for PivX Solutions.
As the April 15th filing deadline approaches PivX Solutions releases two vulnerabilities dealing with computer filing applications. These vulnerabilities deal with how Intuit’s TurboTax (#MK002A) and H&R Block’s TaxCut (#MK002B) store saved returns, in plain text. This means anyone with access to the computer or medium in which these advisories are stored on can read social security numbers, dependents social security numbers, address, names, and more without any authentication or decryption whatsoever. [tax file’s contents viewed with notepad, simple text editor]

“both programs save their contents to the hard drive. These files are unencrypted, and even with a simple text editor, you can see all the information you would in the tax return.” Kristovich explains. [tax files viewed over public cable broadband]

According to the Jupiter report, 31 percent of online households intend to file their taxes over the Web this year, up from the 30 percent reported by the Internal Revenue Service (IRS) last year. The IRS plans to receive 80 percent of all returns electronically by 2007.

Many computers have file sharing enabled which makes for easy extraction of these confidential files by an attacker, and those who do not have simple sharing enabled, there are myriad of other ways to steal this data. Another key method to extract these files by means of a P2P file sharing application such as Limewire, KaZaa, Morpheus, etc etc. Many users have their P2P applications misconfigured and this is supported by doing a quick search on the tax file extension listed below. See the below KaZaa screenshot of a local-range search for tax files. “A full network search could yeild thousands upon thousands of results.” exclaims Kristovich. [kazaa local-range search results on tax files]

“a large number of Both TurboTax and TaxCut files were found on kazaa.” says Geoff Shively, CHO PivX Solutions

With the influx of e-tax filers and the rise in identity theft PivX believes this vulnerability should be taken quite seriously. Someone with a minimal set of computer skills could locally or remotely obtain confidential information on multitude of users. With complaints about identity theft have rising 73 percent from a year ago, according to a new report from the Federal Trade Commission, Identity Theft is all to real of a threat in 2003.

“It’s clear that the growth of the Internet has changed the kinds of fraud that appear,” Howard Beales III, director of the FTC’s Bureau of Consumer Protection said at a press conference. “There are kinds of frauds that were virtually dead that the Internet has brought back.” Beales punctuates.

Intuit, the e-Tax filing leader who’s revenue of $558.1 million increased 17 percent from the second-quarter 2002 was glad to work with PivX on this matter, and works towards a fix in their newest version of TurboTax to be released on an undisclosed date. The maker of TaxCut was less cooperative. “H&R Block with over 2.3 million users to protect could not find the time to respond to PivX’s multitude of contact attempts via phone and email.” says Geoff Shively

For more information please see the full advisories (#MK002A.txt) (#MK002B.txt) by Kristovich & Shively.