MyGov Bug Allowing Full Access to Another Person's ATO Account

jpl on 15/11/2015 - 21:53

Just found out a bug if you are using a shared computer accessing ATO email(PDF) via myGOV, even when you log out from myGOV, your ATO session is still valid thus allowing subsequent person gaining full access to your ATO account.

This bug only happen when you READ ATO email attachment directly from myGOV INBOX.

In the mean time, try avoid using a shared computer, especially in the library, workplace, university, school etc…until myGOV responded and get it fixed. Now my wife knows how much I earn :-(

Further details here
https://twitter.com/geekyjp/status/665813655997382656

Financial

Related Stores

myGov
myGov

Comments

  • [Deactivated] on 15/11/2015 - 22:18

    Now my wife knows how much I earn :-(

    Sarcasm on the Internet, right?

  • TheAviator on 15/11/2015 - 22:19
    +1

    I've always wondered how successful government would be at implementing security and such on a site like MyGov. Looks like I have my answer!

  • MrBlank on 15/11/2015 - 22:22
    +2

    uhh… Why would you keep how much you earn from your wife?

    • jpl on 15/11/2015 - 22:30

      or else she will have quick bucks filing a divorce ? :-)

    • babylon on 15/11/2015 - 22:56

      If both put money into a groceries and household stuff account based on earnings ratio, you can contribute less and have a secret cash stash to buy things from OzB if the missus doesn't know about it.

      • jpl on 15/11/2015 - 22:58

        good idea @babylon, now I can have more buying power for OzB stuffs.

      • [Deactivated] on 15/11/2015 - 23:18

        See? Things are so economically difficult these days that the only stash guys can hoard now is… cash.

        :-/

  • Olokun on 15/11/2015 - 23:43
    +3

    Replicated.

    It's always good practice not to login to sensitive accounts from shared/vulnerable PCs. This is a good example why.

    • elusive on 16/11/2015 - 02:33
      +1

      You also never know what manner of keyloggers, etc., are on there. So even if this were not an issue you should still avoid it.

      BTW, private browsing/incognito would work around this particular issue. Ctrl+Shift+P on Firefox or IE, Ctrl+Shift+N on Chrome, it'll forget the session after you close all private windows. Otherwise, Ctrl+Shift+Del on any browser will open a window letting you delete cookies (where session is saved).

      But that still wouldn't protect you from keyloggers, so overall you should still never log in to anything (or with any password, if you reuse them) you don't want others to access.

  • Mad Max on 16/11/2015 - 11:30
    +1

    Even better do not have a MyGov account…

    • emibel19 on 16/11/2015 - 19:28

      That's rather difficult if you want to do your tax return online.

      • Mad Max on 16/11/2015 - 20:57

        Do a paper one. Keep them busy sorting and scanning. They make it so difficult to do it online anyway. They change things all the time. And now with this sort of compulsory MyGov account… It is only a matter of time when that is going to be hacked and all your data posted on internet!!!

        • emibel19 on 16/11/2015 - 21:11

          No thanks. I hate filling in paper forms (partly because I have a problem with writing neatly; it's much easier for me to work on a keyboard). I certainly don't find it difficult to do online.

  • jpl on 16/11/2015 - 20:41
    +1

    ATO worked on the incident today and later informed me that the vulnerability has been fixed. Great incident response.

  • Domingo on 19/11/2015 - 11:07
    +1

    Assuming this is you?

    http://www.theage.com.au/digital-life/consumer-security/taxp…

    • jpl on 19/11/2015 - 17:45

      yupe

Login or Join to leave a comment
Login Join