Taxes are a pain in the ass for a lot of people. Of course – one can always hire a specialist, but they are often rather expensive. That’s why tax apps are a pretty good alternative: They often help were help is needed and are easy to use. It gets problematic though, if such a program stores customer data in an Amazon cloud bucket, accessible to basically everyone.
Data was just waiting to be stolen
How would you feel if your data, including tax declarations, photographed payrolls, birth and marriage certificates, and other highly sensitive data would be stored somewhere where everyone could access them – including cybercriminals? That’s what a tax consulting firm in Switzerland did.
Zurich Financial Solutions (Zufiso.ch) is a company that offers customers personalized tax declarations via their app steuern59.ch. Considering how complicated and time-consuming a tax declaration can be, paying 59 Swiss Francs for an app that does it all sounds like a sweet deal. To get everything set up users need to upload photographs of their documents and invoices with said app.
Still nothing out of the ordinary, right? After all, that’s how countless other apps work as well. Not quite: A security researcher called SecuNinja discovered that all data – no matter how sensitive – were apparently stored in an openly accessible Amazon cloud bucket.
discovered a european tax company storing customers personal data, uploaded tax details, login data and more in an AWS bucket configured for public r/w access… more details coming soon #websecurity #GDPR
— SecuNinja (@secuninja) 18. September 2018
That included not only the mentioned customer data but also customers’ chat logs concerning their tax returns (in plain text), their login data including passwords (yep, you guessed correctly: in plain text, too), admin passwords, and designs concerning the app itself.
Company’s reaction lacking
SecuNinja apparently contacted the company and Switzerland’s CERT immediately, but to no avail. Neither CERT nor he ever received an answer. Only after being helped by heise.de steuern59.ch finally took the issue somewhat seriously and closed the leak. Apparently they initially thought it to be a joke by the security researcher.
While the security leak is now closed, the tax service provider did not understand why their customers would need to be informed about the issue- something that by now has happened nonetheless. Steuern59.ch also released a statement which can be found on their website.