UPDATE (4.12.08): The bug mentioned here has been resolved. Read the post and the updates at the bottom for the entire story.
I’ve been using H&R Block’s online tax services to do my taxes this year. While corresponding with one of their tax professionals through their online message center, I discovered a very serious security hole in their software. I won’t describe the exact steps here because I don’t want anyone to take advantage of this, but by clicking through the tax software in a specific order, I found that all of the messages in my message center were replaced with random messages between other customers and their tax pros. Many of these messages contained confidential information and had very sensitive attachments, like W2s and other financial documents, that I was fully able to download. The process of doing this is repeatable, so it’s definitely a bug.
I tried reporting this to H&R Block, but I don’t think I was very successful. Here’s how it went…
I called the H&R Block tech support number and spent 20 minutes on hold. A young woman finally answered and said, How may I help you? I explained that I was calling to report an urgent issue, where I could see other customer’s private information in my message center. Her only response was to give me another phone number to call.
I called the new number and spent another 20 minutes on hold. A young woman finally answered and said, How may I help you? I explained that I was calling to report an urgent issue, where I could see other customer’s private information in my message center. Her only response was, So… how may I help you? I repeated that I was calling to report a serious bug in their system to which she replied, I can open a support ticket for you, if you like? At this point I asked for her supervisor. After 40 minutes on hold, the supervisor came on the line and said, How may I help you?
By now, I’m pretty pissed off. I can’t believe I just spent an hour and a half on the phone trying to relay this issue and I’m no closer than I was when I started. I gave the supervisor the facts, and he asked me for my username. He logged into my account, but for whatever reason the screens he sees are different than the ones that I see, so he couldn’t click on the required items. My only option was to verbally describe the screens and steps required to reproduce the bug. He put me on hold for a few minutes, and then came back on and thanked me for reporting this issue. That’s it.
When I relayed the procedure to the supervisor, I rattled it off fairly quickly. I actually expected him to escalate the issue to a higher level tech support and I would be repeating it in more detail to someone else. But, he didn’t, at least not with me still on the phone. He didn’t appear to be taking any notes either, so I don’t know if he actually got it or not. It’s possible they were recording the call, but there was no standard message about that at the beginning, so I don’t know.
In addition to the security bug itself, I can’t believe I had such a hard time communicating the seriousness of this problem. Not only is H&R Block potentially screwing its customers, but they’re also opening themselves up to a giant lawsuit. One thing is for sure… I will NOT be using H&R Block Online again next year.
UPDATE (4.10.08): I don’t know if my support call yielded any results, but I did forward this blog post to the tax pros I had interacted with through the H&R Block website, and they are taking action. I was contacted by two different support people and we ran through the procedure to replicate the bug. They’re looking into it now. I’ll continue to update this post with any new information I receive.
UPDATE (4.11.08): H&R Block has informed me that they’ve identified the cause of the bug and are working on the fix now. They hope to have it implemented by late tonight. I’ll be testing this later to confirm the fix. They’re also doing research to determine how many people may have been impacted by the bug. They told me that initial data suggests it was a relatively small number of users. I’ll update this post when I know more.
UPDATE (4.12.08): This morning I tested the system on my account and my girlfriend’s. Everything appears to be fixed.
Although this whole thing started out a bit rocky due to undertrained phone-support employees, I am glad to see that once the word reached the right people they did take swift action in solving the problem. To some degree I guess this incident is a testament to the power of blogging. I can’t say this with absolute certainty, but I personally believe that forwarding this post to the tax pros I worked with did more to get this resolved than my phone call to tech support.
In the interest if absolute transparency, I should also mention that in return for the trouble I had with tech support, and my assistance in trouble-shooting the system, H&R Block did refund the cost of this years return and offered me free tax preparation for next year.
3 thoughts on “I found a serious security bug in H&R Block’s online tax software”
That’s absolutely horrifying. I used H&R block Online (and will never use again after reading this) this year. So many companies just don’t appreciate how important security is and refuse to respond to requests like this–this kind of carelessness leads to situations like the recent Hannaford security breach or the one at Harvard.
Phone service people aren’t trained to deal with that sort of thing and really can’t appreciate the importance of it. I’m surprised the management couldn’t get you through to some specific tech people–or I guess “wouldn’t” is the more appropriate word. They aren’t trained to care, either, I suppose.
People trust companies like H&R Block because they find comfort in the familiarity of the name brand–it makes them feel safe. When something like this comes up, it’s REALLY damaging, not only as a result of lawsuits, but it will drive away a lot of business once it gets out that somebody has exploited it.
They’ll learn one day. The hard way. I just hope my credit information isn’t bittorrented around the country beforehand.
I would like to see what this thing goes since I am the H&R user this year.
Found a similar bug in the emerald card system of h and r blocks site.
wrote an article on it: