Top

Blogger Discovered LHDN e-Filing Security Vulnerability

April 11, 2007 by  

You know I’ve always wondered how secure the LHDN e-filing system was. When the publics’ private and confidential info is involved, there’s no excuse for them not to build a robust, scalable and secure system.

With a mantra ‘Mudah Tepat Selamat’ (Easy Accurate Secure) – one would expect they have done rigorous testings to ensure the system lives to its expectation.

Unfortunately, Rickey of WattaHack has written an alarming post regarding a serious security flaw he discovered while filling his tax returns via LHDN e-Filing recently.

He was shocked to find he was able to see the other tax payers account details after clicking the “Save & Continue” button. It looks like this is a simple cookies permission problem or perhaps database related problem but I don’t know for sure.

If that’s the case, it seems to me the developers were either not fully qualified or didn’t do enough testing before the system went live.

The security flaw was discovered on 7 April, I am not sure if it has been fixed at the time of this writing but two days after the discovery, the flaw was still in the wild.

A person named Najlah Ishak who claimed to be the Public Relations Officer for LHDNM did post a comment where she asked to be contacted at 019-222 0034.

What I find unsettling was that we don’t know if Najlah really works for LHDN. She could be an impersonator trying to take advantage of the situation. If she is the real Public Relations Officer, she should have made it easier for the blogger to report the problem by giving her official contact number or LHDN email address.

I Googled her name and found there’s indeed a person with such name working as LHDN Public Relations Officer.

While I read the comments from the readers, I noticed there’s another person called Trevor Keegan who is trying to get information how to reproduce the problem. Trevor admitted that he does not work for LHDN and he’s just an external software developer that develops Tax Software and e-Filing integration products. Not sure if he meant the LHDN e-Filing though.

While I appreciate his concern, I would not encourage people to report any problem they encounter with the LHDN e-filing to a third party. Again what Trevor should’ve done was to contact his customer i.e. LHDN and together try to handle this problem from there.

They should not make the blogger feels intimidated by making it sounds like as if it’s his fault or be suspicious of his intention. If that happen, nobody will be willing to come forward next time when another security flaw is discovered.

I understand that they are probably trying to help but the way they handle the matter could make it worst.

I took advantage of the LHDN e-filing system last year but I had to go to their office to complete it because it failed to work on my local PC.

This year I am going to use the e-filing system again and I really hope it is as secure as they made us believe.

Update: This problem has been fixed.

Did you enjoy this post? Please subscribe via RSS or email.

Related posts

Comments

RSS feed | Trackback URI

7 Comments »

Comment by toxicle
2007-04-13 13:24:27

Just when I’m about to use it I get this news. Hrmm … I hope they fix it before the end month dateline.

 
Comment by bengodomon Subscribed to comments via email
2007-04-15 14:54:14

What he should’ve done is report the problem straight to LHDN first, and not post to his blog. With his action, he could’ve caused more harm than good.

In the past, have also discovered several vulnerabilities, including one that was developed by a MSC-status company, but I always contacted the PIC first.

Comment by Gaman
2007-04-15 15:29:49

Unfortunately not everyone is motivated enough to do that.

Unlike a smaller company, it would probably take forever to escalate the issue to the right person in LHDN – all this at the expense of the general public because of the bureaucracies in the system.

If I discover a vulnerability in a system, I would blog about it but leave out the details about the exploit itself. At the same time I’ll contact the relevant authorities – and it’s up to them to act.

Comment by bengodomon Subscribed to comments via email
2007-04-15 17:57:15

With the right escalation system, it should be very quick for the details to reach the correct person. In all probability, system development and maintenance is done by a 3rd party (private company), as is the case with most federal app development projects. If the private company is good, they would get to work right away.

Informing firstly the PIC of the organisation in charge of the application is standard ICT security procedure. I think informing the general public of the vulnerability, even if not the whole juicy details, does more harm than good.

Once the relevant authorities does something about it, then only would I consider going public about it.

(Comments wont nest below this level)
Comment by Gaman
2007-04-15 18:43:30

The guy is just a blogger to start with and he is not bound by any procedure or law to report any vulnerabilities overlooked by any organization – at least for now (as far as I am aware)

What he did is a common practice among bloggers in developed countries like in the US. It’s even worst there where they sometimes publish all the juicy details at will.

Does this do more harm then good?

It could be harmful but in a way this forces the organization to shorten their response time further. They take security even more seriously instead of delegating beta testing to the unwilling general public.

I agree with you though that ideally the guy should had reported it first. Sadly the reality is less than ideal.

 
 
 
 
Comment by WATTAHACK?
2007-04-16 22:55:38

Please post update on this matter so others know its resolved.

http://wattahack.blogspot.com/2007/04/resolved-lhdn-e-filing-leaking-data.html

 
Name (required)
E-mail (required - never shown publicly)
URI
Subscribe to comments via email
Your Comment (smaller size | larger size)
You may use <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> in your comment.

Trackback responses to this post

Bottom