[Infowarrior] - Turbotax Vulnerability

[Richard Forno]

Glitch Gives Woman Access To Others' Turbo Tax Information
Flaw Could Lead To Identity Theft

POSTED: 11:00 am EDT April 9, 2007
UPDATED: 12:04 pm EDT April 9, 2007
http://www.nbc4.com/money/11588165/detail.html

WASHINGTON -- Many people use Turbo Tax to help them file their taxes, but
one woman discovered an error in the program that could cost users thousands
of dollars and their identities.

The woman discovered a key to the backdoor of some tax returns filed online
through Turbo Tax.

"I knew immediately how big this was," she said. "This is very, very bad."

A Turbo Tax customer herself, the woman attempted to access some past
filings and the route she took online opened returns for several others with
the same last name but different first initials.

"For a bad guy to get this information would mean they could retire rich and
happy," the woman said.

She was able to access tax returns for Turbo Tax customers she never met in
different parts of the country. On her screen, she found everything needed
for electronic filing from bank account to routing digits and Social
Security numbers.

"It's clear that she was able to access information that she shouldn't have
been able to," said Gordon Whitten of Turbo Tax.

An Omaha-based official with the Turbo Tax parent company said the
inadvertent access to some tax files came as a shock.

"We think it was a quirk, an individual circumstance as far as we know,"
Whitten said. "So what we did is we took that link down in the product for
now until we can fully investigate to make sure the issue won't happen again
to anybody else."

The flaw does not involve the Turbo Tax software, only the Web site that
allows taxpayers to create an account and do their taxes.

For security reasons, the common last name or how the woman inadvertently
gained access to three other Turbo Tax accounts were not revealed.