('binary' encoding is not supported, stored as-is) Original Advisory: Tuesday, March 25, 2003 Severity: Medium - High Description: Unencrypted tax-return information saved in C:\My Documents by default can pose security risks, and may disclose financial/personal information to the Internet via peer-to-peer (P2P) networks. Version: Tested on the version released March 20, 2003 Authors: David Coomber and Nathan Wosnack were involved in the research and development. Tax Software Background: MyTaxexpress 2003 is a CCRA (Canada Customs and Revenue Agency) certified GUI application developed by ExpressInfo Software that allows Canadian tax payers located in Alberta, British Columbia, and Ontario to work through their tax returns and file them electronically using a tax filing system known as NETFILE. Description of the problem: If you decide to save your return, your personal information is saved to your computer unencrypted in the directory C:\My Documents by default with a *.ret extension. The problem with this is two-fold; if someone is able to access this file, then all they would need to do is open it with a text editor such as Notepad to reveal personal information. The personal information disclosed includes your full name, your address, your social insurance number, your earnings, spending claims, where you work, etc. Saving your tax files in C:\My Documents makes it easier to get a hold of since many Microsoft Windows users share C:\My Documents when using P2P programs without understanding the consequences. Also, Many P2P file- sharing networks have been known to share the C:\My Documents folder. One such example of a file sharing program that does this is a program called 'Kazaa' (with K++ extensions). With a simple query on Kazaa, looking up file names such as 'taxes 2003.ret', 'taxes.ret', one could gather large amounts of data on unsuspecting users that have C:\My Documents shared. Recommendations: Due to the fact that MyTaxexpress does not encrypt your tax return when saved to disk, and stores it in C:\My Documents by default, the risk of having personal financial information stolen and used for illegal purposes is high. In order to protect this financial information from disclosure and misuse, we recommend saving your returns in a different directory and encrypting your returns (and all other personal information) with a strong encryption program such as Blowfish for Windows(1) or similar. Related Links: http://www.pivx.com/ - Related advisories focusing on United States tax software. http://www.hypervivid.com/ - Information, Telecom and Wireless Security Consulting Firm. Vendor Contact: http://www.mytaxexpress.com/ - ExpressInfo software. Have any questions or comments? e-mail: advisoriesat_private Copyright © 2003, Hypervivid Solutions Incorporated. All Rights Reserved. (1) Note: We are not affiliated with any products or services mentioned on this page, we provide the links solely as a convenience to the reader.
This archive was generated by hypermail 2b30 : Wed Mar 26 2003 - 11:32:21 PST