ATO's Windows bias reveals possible hole

update The denizens of global security mailing list Bugtraq have started discussing whether the Australian Taxation Office's (ATO) e-tax 2010 software, which is currently being used by millions of Australians to submit their tax returns, has a security hole in it due to the way it deals with remote Secure Socket Layer (SSL) certificates.

The breaches were unintentionally discovered when a security expert, known only as Dave B, became fed up with the ATO's restrictions on the use of alternative operating systems other than Windows. He tried to do a workaround so he didn't have to use Microsoft's platform.

At first Dave thought that the software did not check the SSL certificate of involved domains and would work if the certificate came from a valid certificate authority. Other tests were made and he found that a "freshly generated" self-signed certificate would be accepted by the software: the SSL certificate does not need to be signed by a certificate authority.

E-tax communicates via the unencrypted Hypertext Transfer Protocol (http) rather than Hypertext Transfer Protocol Secure (https) if told to by, for example, using URL manipulations such as the Apache mod_rewrite module. E-tax 2010 sends the details of the tax request in a Simple Object Access Protocol (SOAP) request.

"We don't provide comment on security-related matters; however, we can assure taxpayers that income tax details submitted by e-tax software is secure," the ATO said in response to queries on the matter.

Securus Global managing director Drazen Drazic said that he believed the risks were clear and that the whole process was open to incursions such as man-in-the-middle (MITM) attacks, where an attacker could pull information from the stream between the ATO and the e-tax end user.

"The risks seem to be purely on the client side of things in regards to this advisory," he said. "People need to be careful when accessing. How it's working based upon the advisory means people could be directed to anywhere with personal information being sent to unauthorised parties. Given the type of information, not a good thing."

For instance, if an individual has an SSL certificate for another website that certificate could then be used to masquerade as the ATO's tax server. The ATO was contacted last Thursday for comment but has not yet responded to the issue at the time of publication.

Last week Dave logged his discovery on Bugtraq in a series of logs. Each revealed that the security breach was much worse than previously thought. The first bug logged can be viewed here, subsequent bugs logged can be located here and here.

Updated at 5:30pm, 13 September 2010: included comment from ATO.