The mobile app Steuern59.ch has stored tax declarations, tax information, receipts and other personal data in a publicly readable AWS bucket.
Translated news from heise.de, original by Fabian A. Scherschel
The tax consulting firm Zürich Financial Solutions (Zufiso.ch) offers personalized tax declarations, created via smartphone app, for 59 Swiss francs. The corresponding app is called Steuern59.ch and is advertised for Swiss citizens. According to information available exclusively to heise online, the Android and iOS apps of this company stored all data collected in the app as well as pictures taken from corresponding documents in the Amazon cloud (AWS). The data in this so-called AWS bucket was accessible to anyone with a free AWS account. This included the tax declarations and tax assessments, as well as all photographed documents such as payrolls, insurance certificates or birth and marriage certificates of hundreds of App users.
The AWS bucket was found by a security researcher who uses the pseudonym SecuNinja to investigate and then reports the vulnerabilities found to the companies. After he had contacted Zufiso in this case, he first received no answer. Only when heise online contacted Zurich Financial Solutions with a reference to an upcoming news report they responded to the security researcher. According to Zufiso, the security breach report was initially seen as fake or SPAM by the security researcher. Note SecuNinja: Switzerland’s CERT (govcert.ch) was also involved and was initially ignored, too.
Login details in the cloud in plain text
After the researcher gained the attention of the tax consulting firm with our help, they realized that the security gap was not a joke. In addition to the clients’ very sensitive financial documents, the researcher had also found the admins’ bcrypt passwords. A database with the access data of the app users even contained their passwords in plain text. Furthermore, the AWS bucket contained the customers’ chat logs, in which some of them discussed their tax returns with the service provider – these protocols were also stored in plain text there as well.
The mobile app Steuern59.ch seems to be developed by an external contractor in India. In addition to the operating data of the app, SecuNinja also found lots of photographed app designs, drawings and pictures of the developers in their studio in northern India. Such world-readable AWS buckets occur again and again (heise.de), often this are beginner mistakes of the developers then. In this case having a finished product like Steuern59.ch one can, however, speak of sloppy work. The data could be found with freely available tools, which automatically searches the Amazon Cloud for vulnerable buckets.
Reaction of mobile app service provider unsatisfying
In the meantime Zufiso assured that the security i in the iOS and Android apps of Steuern59.ch was closed with an update at the end of last week. In any case, the AWS bucket is no longer public readable. Whether the storage of user credentials has also been changed to a secure method cannot be assessed at the moment. In response to a request as to whether the company would inform its users about the issue and the associated potential data leak, the company management answered us evasively. So far we do not know that customers have been informed by Steuern59.ch.
The manufacturer’s reaction to the exemplary reporting of the vulnerability by the independent security researcher leaves much to be desired. The change to the AWS bucket’s read privileges lasted several days, and further information about the progress of the work on securing the app and its server backend was reluctantly released. Only after we insisted on it several times and finally issued an ultimatum for the publication of the story we received some brief hints.
In addition, the tax service provider did not want to understand why we consider it essential to inform the users of the app about the data leak. Unfortunately, security researchers are often biting on granite at manufacturers in such cases, and additional pressure is needed from a threatening publicity publication so that developers can fix such security flaws in their products.
Note SecuNinja: Thanks a lot to Fabian for supporting me in this case 🙂