Blogger Discovered LHDN e-Filing Security Vulnerability
April 11, 2007 by Gaman
You know I’ve always wondered how secure the LHDN e-filing system was. When the publics’ private and confidential info is involved, there’s no excuse for them not to build a robust, scalable and secure system.
With a mantra ‘Mudah Tepat Selamat’ (Easy Accurate Secure) – one would expect they have done rigorous testings to ensure the system lives to its expectation.
He was shocked to find he was able to see the other tax payers account details after clicking the “Save & Continue” button. It looks like this is a simple cookies permission problem or perhaps database related problem but I don’t know for sure.
If that’s the case, it seems to me the developers were either not fully qualified or didn’t do enough testing before the system went live.
The security flaw was discovered on 7 April, I am not sure if it has been fixed at the time of this writing but two days after the discovery, the flaw was still in the wild.
A person named Najlah Ishak who claimed to be the Public Relations Officer for LHDNM did post a comment where she asked to be contacted at 019-222 0034.
What I find unsettling was that we don’t know if Najlah really works for LHDN. She could be an impersonator trying to take advantage of the situation. If she is the real Public Relations Officer, she should have made it easier for the blogger to report the problem by giving her official contact number or LHDN email address.
I Googled her name and found there’s indeed a person with such name working as LHDN Public Relations Officer.
While I read the comments from the readers, I noticed there’s another person called Trevor Keegan who is trying to get information how to reproduce the problem. Trevor admitted that he does not work for LHDN and he’s just an external software developer that develops Tax Software and e-Filing integration products. Not sure if he meant the LHDN e-Filing though.
While I appreciate his concern, I would not encourage people to report any problem they encounter with the LHDN e-filing to a third party. Again what Trevor should’ve done was to contact his customer i.e. LHDN and together try to handle this problem from there.
They should not make the blogger feels intimidated by making it sounds like as if it’s his fault or be suspicious of his intention. If that happen, nobody will be willing to come forward next time when another security flaw is discovered.
I understand that they are probably trying to help but the way they handle the matter could make it worst.
I took advantage of the LHDN e-filing system last year but I had to go to their office to complete it because it failed to work on my local PC.
This year I am going to use the e-filing system again and I really hope it is as secure as they made us believe.
Update: This problem has been fixed.