Saturday, April 07, 2007

LHDN e-FILING LEAKING DATA? (RESOLVED)

(RESOLVED PLS READ HERE)

IMPORTANT - LHDN Please look into this Security Flaw... As I was filing my tax returns via e-Filing I encountered something that made me worried. As I clicked the save & continue button but the page refreshed with some other person's Tax No. as well as their PRIVATE & CONFIDENTIAL info!

I was shocked and can even see the bank info and account number... I print screen and hope to make it known to others the possible leak of P&C info.


I find this NOT amusing as leaking anyone's financial info makes me lose trust in the system and LHDN. Imagine I got to view 2 other person's data!

If anyone here has direct access to LHDN's Head Officer please inform him/her as to this matter to rectify ASAP!

Latest update 080407 - login and saw some more other person's tax returns.... sigh!

NOW I'M SERIOUSLY WORRIED!!!!

P/S: I'm not here to undermind LHDN's effort with regards to e-Filing. I hope LHDN doesn't view this in wrong light, cause I hope they rectify this ASAP as I too would like to file my Tax returns via e-Filing before the dateline as a responsible citizen!

Latest update 090407 - I couldn't sleep well last nite. Been thinking of this issue.

I think when I click continue (a) and someone else clicks continue (b) as well the server serves back the refreshed pages from (b) to me and (a) to the other person. How else can others see another's info at the same time unless its been swap somewhere along the line.

Like I mentioned I made a call to one of the person via the phone no. listed in the e-filing tax return and talk with the them. As they also could see another person's info filled in the page. One wonders how many are actually facing this swapping of info?

What if a robber/kidnapper gets some nice info on some Dato's tax returns? He/she would know he's particulars and the amount of money he earns yearly and tax he declares as well as his bank account no. Sounds like a Hollywood movie title to me..... "Tropicana Log-in"

Latest update 120471 - SIGH!
This is why when head of gov labels Bloggers as liars everything that is real is automatically put in bad light and claimed as lies.

I wouldn't be bothered if Newspapers and TV stations were truthful enough to highlight some Bugs in the system. But it will not see the light of day cause of some higher directive and guess what? Blogs are the only place to post this matter so someone can take action to rectify it ASAP without having to go thru debates and red-tapes (I presume).

Well if its still like this next week I won't know what to say other than good luck to those still posting their info online. I hope its correct and not accidentally edited by some other person and submitted in wrongly.

FYI: I didn't even know I was filling in the wrong form, until I saw the top part that listed the tax no. and I tot that's not my TAX NO.! that's not my NAME either! then only did I realise this problem...

Latest update 120471 again - Thanks Malay Mail & LHDN at least its looked into. Even though the heading makes me look like a fool but who cares as long as LHDN e-Filing is fool proof. Rest assured if its confirmed Bugless, I'll post my Tax Returns knowing its safer than before. Anyway thanks to those that did respond and may have rectified it! (but hey "it didn't happen")


43 comments:

n.i. said...

Dear Sir/Madam,

My name is Najlah Ishak, the Public Relations Officer for LHDNM.
Thank you for your concern in this matter.
Please contact me A.S.A.P. at 019-222 0034.

najlah said...

Dear Sir/Madam,

My name is Najlah Ishak and I am the Public Relations Officer for LHDNM.

Thank you for your interest and concern on this matter.

Please call me personally at 019-222 0034.

Your cooperation is highly appreciated.

WattaHack said...

Dear Chuk/Najlah or whoever,

I find it funny that 2 person with different Blog names PM me but from same Officer? anyway much appriciated that someone from LHDN responded.

How can I coorporate? as is I only saw what the system posted when I clicked save & continue. Maybe the tech support ppl can try logging in under B-Form and try themselves.

Fill in the name and all info or fill-in all but one detail. Then click continue... the page refreshes into same page but with someone elses Tax number and info. Sometimes its only Tax No but blank fields.

I got to view to accounts one from Sabah (I copied this one and you can see its posted) and one from KL (I didn't copy this one). I have no problem filing my tax online as its better but once I saw this flaw I'm worried it can be missused by hackers! and we know Malaysia is well known for Hacking & Online Fraud as well.

Please rectify it so many others get to use this without worries... and it saves our forests as well!

WattaHack said...

OK So I did it again... login to e-Filing and filled in everything and click continue... guess what!

I can go about this the whole day and get other ppl's Tax returns again & again!

so I got one from Bandar Utama and called up just to be sure its not some test postings.... WOW! its actually someone's Tax file! and they were also posting their Tax returns.... and they also saw some other info which should not be there! this is NUTS man!

WattaHack is up with this e-Filing server! SQL right? cause I saw an error msg saying the server has error sometimes.

najlah said...

Dear Sir/Madam,

LHDNM would appreciate it very much if you can come forward and assist us in this matter as breach of security is a very serious matter.

p/s: Both blog names belong to me...

Najlah Ishak
Public Relations Officer
LHDNM
019-222 0034 / 03-6201 2344

Anonymous said...

Hi,

I have been working with the Borang B e-Filing ever since it was launched at the begining of this month, and have not seen the type of problems that you are describing.
I have not seen the behaviour that you are describing where you are returned to the main page after pressing the save and continue.
You appear to be able to recreate this problem at will, I would appreciate if you could tell me the information that you are entering into the first page....this may give us some clues on what is going on. Please email me the information to tkeegan@ealink.com.

Regards
Trevor Keegan

WattaHack said...

Hi Najlah & Keegan,

I'm still wondering why you guys need me to show up to tell you what happened face to face or by phone?

Sorry about being cautious after seeing many others either get sued or harrassed by enforcement officers for revealing some info about something amiss to the newspapers or blogs instead of acting on solving the actual issue. Please forgive me if I stay cautious for the moment...

I would luv to help out but as I've said its not my side as some other user that I called also stated similar experiences.

"Keegan: I have not seen the behaviour that you are describing where you are returned to the main page after pressing the save and continue."

Yes it did happen and it either refreshed to same page or the next page with another Tax No. and Info inside!

"Keegan: You appear to be able to recreate this problem at will, I would appreciate if you could tell me the information that you are entering into the first page....this may give us some clues on what is going on"

Hehe... you make me sound like a hacker! LOL anyway not that I want to but I was like any lay person trying my best to support any efford to be paperless and efficient.

But why it happened I won't know cause its not my server and system.... what I entered on the 1st page was as listed there name IC residence office etc... then just click continue alikazam! pop out someone's data!

If I refresh a few time another person's one pops out! cool.... if I'm a crook! but I'm not so this spooks me enough to post it so someone can faster try to solve it.

Ideas:
Maybe try using any outside computer other than those in LHDN and your office. Fill with other person's info maybe your family member's or friends to check it out. And try it during the most common time such as at night after 8pm cause that's when family members get their college kids to help out typing like the one I called. This is problably the peak time? on weekends also?

Sean said...

Dear Rikey,

Try calling them up~ I wish to know what they wills say~ Curiousity driven me to leave a comment (LoL). Well obviously this is their "bugs" within their application. Getting in touch with you helps nothing but just "might" get your mouth shut~ "Sorry I can't think any other things else that might possibly occur~ I'm Malaysian Youth you know~ I can't think!" (LoL)

Marcus Million said...

Dear Chuk/Najlah

You should go find the security vulnerability using web application penetration testing tool such as WebInspect. No point asking here. He has already described everything in details

2cents said...

Hi,

As a tax paying citizen, I see a potential problem with the system. People using at community places (i.e at LHDN office or cybercafes) will have their cookies and history installed on the computer. Maybe thats the reason some are seeing other people data when click next in the Internet explorer form. This is just my 2cents.

Unknown said...

Possibly something done wrong by their system creators.

They might be storing information in such a way that only 1 person can be using the system at a time.

If more than 1 user is using the system, it cant tell the different requests apart, and starts showing the wrong information to each user.

Eg:
-User1 logs in. System stores user1 ID
-User1 starts filling in his/her information
-While user1 filling in his/her information, user2 logs in. System stores user2 ID, which overwrites user1 ID currently stored
-User1 refresh page. Sees user2 information

Alike Thinkers! said...

http://www.ealink.com/ - the company who develop the system I would guessed. And its surprising to read what he said "....this may give us some clues on what is going on" ... do they not know what is going on? the screen capture is so obvious!!!!WattaHack? Dry run your code by all means!!!!

zewt said...

wahhhh hahahahahaha... looks like you're being watched closely. one post like that and all the LHDN fellas come calling for you.

Anonymous said...

Hello Rikey,

In case you are wondering, I do not work for the LHDN...I am an external Software Developer that develops Tax Software and e-Filing integration products.

With respect, I think that it is understandable that the LHDNM would want to get in contact with you in order determine how genuine each claim is.

Given that you have said that you are keen to help to resolve this problem, and given your reluctance to come forward to assist the LHDNM, what do you propose is the best way to move this thing forward?

I was not trying to make you sound like a hacker;-) Asking how to replicate a problem is a standard question any IT professional will ask. It is virtually impossible to track down and correct any problem unless it it is well understood how the problem can be recreated/tested (once the problem is fixed).

You also mentioned getting an SQL error....do you have the details of this error?

Can I ask when was the last time that you tried accessing the system? It would be useful if you could access the system and make a note of the information/steps that you key in before you press the save + continue.

Could I also ask, according to your screen shots, it looks like all the Tax Numbers begin with the same numbers....was the entire tax number the same? Also is this tax file number that is displayed your number, or is it someone elses number?

Just as a matter of interest, is there some reason that you are logging on into the Borang B using an SG number? Do you have business income?

Regards
Trevor Keegan

Sabahan said...

This is a good find and I hope they will act quickly. The system is not that secure after all as they made us believed

john smith said...

Dear all,

This could be very embarrassing! All the effort put in could be wasted!

BTW, have the bug been rectified now? Is any one has broadcasted the message to public to avoid unnecessary from happening?

For the person in charge, please act fast before too late!

Regards

Unknown said...

Yes, this Mr. Najlah posting on a blog is seriously weird. Why not just try it out on your own?

I think he wants to shut you up. Better not call and reveal who you are. You might find yourself locked up under the Internal Security Act or something.

This is because, note that he's not the technical staff, he's the "Public Relations Officer". LHDN trying to save face kua. Instead of trying to solve the problem immediately (as they would have the minute this Mr. Najlah read your blog, but this SERIOUS problem still persists, right?

WattaHack said...

"Keegan: With respect, I think that it is understandable that the LHDNM would want to get in contact with you in order determine how genuine each claim is."

Yup... but I also know some Ministers said all Bloggers are liars and we spin up stories. After such declaration from the Gov part including the PM do you expect us (citizens/bloggers) to jump out to proof how genuine this leak is? Sorry for me being paranoid a bit. Its up to LHDN and any support tech to dig further. I'm not so crazy to cry wolf for filing my Tax... I rather get it done online via e-filing and get on with my work!

"Keegan: I was not trying to make you sound like a hacker;-) Asking how to replicate a problem is a standard question any IT professional will ask."

Yah! I know its not what you meant...I was just kidding. No offence taken.

"Keegan: You also mentioned getting an SQL error....do you have the details of this error?"
Nope I just refresh that's when I got weird names & numbers! Else why would I refresh. Then after I found out by clicking continue a few times you get even more others info! cool....

"Keegan: Can I ask when was the last time that you tried accessing the system? It would be useful if you could access the system and make a note of the information/steps that you key in before you press the save + continue."

After dinner around 9pm - 10pm and its just like anyone filling all info required then continue.

"Keegan: Could I also ask, according to your screen shots, it looks like all the Tax Numbers begin with the same numbers....was the entire tax number the same? Also is this tax file number that is displayed your number, or is it someone else's number?"

None of those Tax nos are mine! those are what I saw that's why I print screen.... some had same number but different names cause I think the page got refreshed by someone else and they didn't know and kept on filling and it got refreshed to my screen!

I will email you the FULL SCREEN captures with non-block out tax nos, names and bank info. Hope you don't give them creepy calls ok... hehehe just kidding!

I trust you and LHDN can carry on from here as I don't think I have anymore info unless you want me to keep screen capturing more Tax Returns! hehehe....

investor said...

As a software developer, I really feel ashame of this, how can this happened, how this system passed the User acceptance testing ? I really wonder why.

Unknown said...

Hi,
I'm a reporter with malaysiakini and wondering if you could drop in a word into my inbox so that we could email or talk over the phone over this particular case. Has anybody else complained of similar problems when e-filing with LHDN? Or is this a one-off thing? Thanks. Fauwaz

Sabahan said...

I find it's unsettling to see najilah or even some other people not related to LHDN wanted the steps to reproduce the problem published here. Sorry keegan.

There are people just waiting to take advantage of this information so I suggest najilah gives her official contact info instead of a personal mobile number (she did give a fix line number though).

WattaHack said...

Hello Rikey,

Thanks for your email and your information. I can appreciate your situation, but having dealt with the LHDN for some time, I can tell you that they are simply a group of people that wants to get a job done. I can also tell you that they would appreciate you coming forward and letting them know, rather than trying to drag you down. But I guess given the cloud of annonimity that people can hide behind in their blogs, it is easy to understand where the 'liars' label comes from.

By the sounds of it, you have tried logging in tonight.....is it OK, or does the problem still exist. I understand that the LHDN has been looking into the problem.

Do not worry I will not be giving these people 'creepy calls' as you put it ;-) But I will take your detailed screen shots and pass them onto the LHDN for them to look at....hopefully they can figure out what is going on.

Regards
Trevor Keegan

WattaHack said...

"But I guess given the cloud of annonimity that people can hide behind in their blogs, it is easy to understand where the 'liars' label comes from."


same can be said about ministers that make unfounded statements inside parliament and are never accountable for their mistakes and errors to the citizens.... it is also easy to understand where the 'liars' label comes from.

WattaHack said...

I am busy with work and will look back into e-Filing once I clear up some backlogs.... if I find the system rectified I will surely post it up... if its still the same then I donno what to say anymore about it. Guess I'll have to use paper and pen again. Thanks LHDN and Keegan for your attention. Hope you guys solve it soon.

YS-2 said...

Hi Rikey,

I think your joke is funny and successfully cheat quite numbers of ppl. I can easily create thousand of print screens like these...then post it saying i can c other info as well...

P/s: If this comment not showing up, this means that my guess r correct :p

Husni said...

I wonder whether any other person encounter this problem.. because all the link pointing to this blog only, i didn't find other people encounter such problem.

WattaHack said...

Yong:
P/s: If this comment not showing up, this means that my guess r correct :p

Hmmm... it did show up! so am I right? or is this still a joke to you? mind you April 1st is long over. And Tax and Death matters are not for joking! I posted to inform others as I sent mails to 2 newspaper and nothing is published or done (from what I see) cause of the directive from Gov to keep mum if anyone says anything that might make the Gov look bad. In this case leaking of personal info seems bad enough not to info users via newspapers. They might think it makes them look bad as so happened there's an election going on... so where else to I share my findings? obviously my own blog lar!

WattaHack said...

nevland said...
I wonder whether any other person encounter this problem.. because all the link pointing to this blog only, i didn't find other people encounter such problem.


I also wondered if it was only me so I called a person listed in Bandar Utama and found out they (a nice sounding daughter helping her mom) were online posting their Tax as well and I told them the bank and account no. they verified it was correct. She said she was wondering why the info inside was jumbled up as well! so I gather I'm not alone here. I asked them to file a report to LHDN but its up to them....

ic3 said...

Here one. Since nobody can trust anybody nowadays, why not send this posting up to www.ic3.gov which is an affiliate of the FBI in USA.

They handle both stateside and international internet crime, and any vulnerability in this system if highlighted to them will be cordially communicated to Bukit Aman in the case of Malaysia. This in turn will drive LHDN to rectify the problem if any.

Just a thought...

Hazel Sia said...

nevland said...
I wonder whether any other person encounter this problem.. because all the link pointing to this blog only, i didn't find other people encounter such problem.

yes, i find it a bit strange that you are the only person encountering this problem too ... (?)

Or are there others but have yet to voice it out?

The rest, do tell...!

WattaHack said...

abu said...
Hi,
I'm a reporter with malaysiakini and wondering if you could drop in a word into my inbox so that we could email or talk over the phone over this particular case. Has anybody else complained of similar problems when e-filing with LHDN? Or is this a one-off thing? Thanks. Fauwaz


Sorry what is your email? Is it to editor?

WattaHack said...

ic3 said...
Here one. Since nobody can trust anybody nowadays, why not send this posting up to www.ic3.gov which is an affiliate of the FBI in USA.


ic3 dude its just a bug they need to fix then problem solve lor... FBI? not someone die like CSI show you watch too much TV hehehehe....

I highlight the BUG they KILL IT case closed no Movie to make!

Unknown said...

Yay! You succeeded! The news is on Malay Mail plus the URL. By the end of the day, you'll have million hits. Congratulations!

WattaHack said...

“I have posted a comment on the blog asking the person to come forward and contact me because we want to improve the system if there are problems, she said."


WOW! After so many days! I hope the bug is iron out as well. But this morning it was fine so I gather its been rectified anyway I'll login at night or during weekends when the traffic is higher to confirm. Cross fingers its fine now so I can finally file my Tax Returns!

t.s.y said...

Hi Trevor Keegan,

I truely believe that this is the PROGRAM ERROR/BUG rather than make Rikey sounds like a HACKER!!! try to check your program again, it's the GLOBAL VARIABLE PROBLEM!!!! try NOT to declare the variable as GLOBAL (even though it's a private variable), try to declare it as a method or function!!! hope that it's help and the problem can be solved permanently, otherwise, i think all people dare not to use the system anymore.

Unknown said...

This seems to be an application vulnerability. This definitely needs to be addressed.

You can take a few precaution in this regard:

1) Please ensure that the application server rests in the DMZ segment after the Firewall and IPS. Install a Host based IPS.

2) The application has to go thru a white box test. This will include stress test, data test, crash test etc. Compare the results after each performance.

3) If the box is running on a old version of Apache, upgrade. Any OS for that matter.

4) Ensure that the application has been developed with security in mind. Audit trails, user profiles and access matrix always ready and at hand.

5) Send the logs from the server 24x7 to a syslog server or a SIEM tool for monitoring always.

6) Lastly, install latest patches and perform a pen test on the server or the network.

Best Regards,

SK.

Unknown said...

Guang Ming also published the news :
http://www.guangming.com.my/content.phtml?sec=16&artid=200704112477

RIKEY : Why don't you just contact Najlah and email him/her all the proofs you have in order to prove that you are not playing a joke here ? Najlah mentiond in his replied to the press that he/she is suspecting your intention here to post this news and yet you don't step forward to proide more information. You just need to use a public phone or an anonymous email so your identity won't be leak out if you are afraid that the government will take action on you. Just my two cents input :-)

WattaHack said...

adword17 said...
Why don't you just contact Najlah and email him/her all the proofs you have in order to prove that you are not playing a joke here ?

eerrr got phone but no email mah! if not I email direct somemore I could not verify who it is even if I called...can be some hacker? it cuts both ways you know.

Anyway I emailed Trevor at least he's from a company with valid company address and can see photo of him (hopefully he's not a hacker too!).

I emailed all those un-blocked screen captures and he will check and pass on to LHDN. If ppl think this is a joke let them lar! else they prefer me post all those ppl's phone and bank no. to proove to them?

Maybe if its a politician's tax returns then I'll consider to post... hehehe!

StopSpamming said...

Now EVERYONE, Rikey is NOT alone !!!
Accross the Pacific ocean in Ohama, USA...
Similar Tax e-Filing bug....wow so real!!

Read here...
http://www.firstcoastnews.com/tech/news/news-article.aspx?storyid=79663

and on NBCNC Video here...
http://www.firstcoastnews.com/video/player.aspx?aid=96107&bw=

EA Link and Turbo Tax has any link?

qwerty said...

rikey said:-
eerrr got phone but no email mah! if not I email direct somemore I could not verify who it is even if I called...can be some hacker? it cuts both ways you know.

hei, you can always go to the irb hq. just take any taxi and they will surely take you there.... or are you thinking that the taxi drivers are working together with the government to get you? or maybe, the irb hq buildings in jalan duta are all fakes and were built to trap you?

Anonymous said...

'StopSpamming: Now EVERYONE, Rikey is NOT alone !!!
Accross the Pacific ocean in Ohama, USA...
Similar Tax e-Filing bug....wow so real!!
:
EA Link and Turbo Tax has any link?'

No there isn't!

I suggest that you stop posting such garbage!

Firstly, I think that you are treading on shakey ground by suggesting that there is any link between the contents of this blog and the foreign article that you refer to.

Secondly, I resent any implication that there may have been a link between myself (or my company) and the article that you refer to. I suggest that if you have evidence to the contrary then "PUT-UP OR SHUT-UP". If you do not have any evidence to support what you are implying, then I would appreciate if you would refrain from posting such nonsense!

For your information neither I nor my company has ever had any involvement with any customer in the USA (or any country outside of Malaysia). As I said before, if you have information to the contrary then show it!

I find it amusing that despite having said earlier that I do not work for the LHDN, some people still seem to think that I do. So let me say it in a different way:
a) I do not work for the LHDN
b) I have never done work for any Revenue service any where in the world!
I am an external Software Developer that happens to know a thing or two about Malaysian Tax & the e-Filing system......that does not mean I built the e-Filing or any other system used by the LHDNM. Again, if you think that you can prove otherwise, then I challenge you to do so, otherwise please refrain from posting such references.

I think that it is a shame when people come forward asking questions or offering assistance, that some people automatically assume that they are responsible for events that are reported just because they happen to do a certain type of work within a certain profession.

Regards
Trevor Keegan

Chironex said...

What you should've done is report the problem straight to LHDN first, and not blog about it straight away. With what you have done, you could have caused more harm than good.

WattaHack said...

Trevor Keegan said...
I find it amusing that despite having said earlier that I do not work for the LHDN, some people still seem to think that I do.


Dear Trevor,
Thanks for repeating and just to inform you I'm met someone in the Taxation industry and they are close with LHDN and will assist me to clear this up and hope to arrange a proper meet up to verify the info I saw and print screened is true and not fabricated. I also ask them about your company and Najlah and they verified that as well so no point to assume anywise. Thanks again for contacting me in the 1st place to help.