Fix sweetens foul cookie that kept open Aussie tax login portals
Users opening PDFs on public machines at risk.
The Australian Tax Office (ATO) has crushed a cookie-related flaw in which sessions failed to close allowing the next user of a public computer to access tax records.
The flaw reported to the office by Sydney Arduino tinkerer JP Liew occurs when tax payers obtain a PDF from the ATO and in doing so are directed away from the site.
This meant the ATO site is not closed and the sign on cookie remains active.
Should the cookies have persisted in the event browsers are closed, the flaw represents a serious risk for users logging in on untrusted public computers.
It is unclear if closing the web browser would kill the cookie. If this were the case it may be unlikely users would simply walk away from public computers leaving the current session open without closing the browser.
Fairfax Media reports that it obtained a copy of a demonstration video Liew uploaded briefly to YouTube in a bid to prove the severity of the flaw to ATO Twitter account handlers after call centre staff would not offer assistance as he attempted to report the bug.
Liew praised the ATO for its quick incident response after it was reported through the agency's Twitter account.
The ATO is known in the industry to have skilled red and blue security teams.
Admins can review their cookie management in accordance with the OWASP's cheat sheet. ®