steuern59.ch. Considering how complicated and time-consuming a tax declaration can be, paying 59 Swiss Francs for an app that does it all sounds like a sweet deal. To get everything set up users need to upload photographs of their documents and invoices with said app.
Still nothing out of the ordinary, right? After all, that’s how countless other apps work as well. Not quite: A security researcher called SecuNinja discovered that all data – no matter how sensitive – were apparently stored in an openly accessible Amazon cloud bucket.
discovered a european tax company storing customers personal data, uploaded tax details, login data and more in an AWS bucket configured for public r/w access… more details coming soon #websecurity #GDPR
— SecuNinja (@secuninja) 18. September 2018
That included not only the mentioned customer data but also customers’ chat logs concerning their tax returns (in plain text), their login data including passwords (yep, you guessed correctly: in plain text, too), admin passwords, and designs concerning the app itself.
SecuNinja apparently contacted the company and Switzerland’s CERT immediately, but to no avail. Neither CERT nor he ever received an answer. Only after being helped by heise.de steuern59.ch finally took the issue somewhat seriously and closed the leak. Apparently they initially thought it to be a joke by the security researcher.
While the security leak is now closed, the tax service provider did not understand why their customers would need to be informed about the issue- something that by now has happened nonetheless. Steuern59.ch also released a statement which can be found on their website.