The researcher, called Zemnmez, found two separate flaws on HMRC’s online tax service.
He said finding who to report the issues to was more challenging than finding the bugs. HMRC said it had addressed the problems and was looking at improving ways for people to get in touch. Zemnmez said exploiting either flaw could have let attackers view or modify tax records or harvest key details from Britons.
“I spent days reaching out to half a dozen different government social media accounts attempting to find where the right place to go was and got nothing meaningful in response,” he told the BBC.
The UK’s National Cyber Security Centre – contacted through friends with intelligence connections – was key in helping get the security problems solved, he added.
Clues that the HMRC site was vulnerable to attack were picked up by Zemnmez as he was using the site to check his taxes.
His expertise and experience in finding similar bugs on other websites suggested that the way the HMRC log-in system interacted with his browser left it vulnerable to some well-known attacks. After a short period of experimentation, he found that it was possible to use the HMRC site as a “forwarding service” and send a victim to any site an attacker wanted.
“This could be used to coax the victim into revealing financial information, credentials and usernames and passwords,” he said.
This type of bug is known as an open redirect vulnerability and is a common weakness found on lots of different sites, he added.
The second security issue took longer to uncover, said Zemnmez, but was potentially more damaging as, if exploited, it could give an attacker control over a victim’s information, potentially letting them modify it.
Ironically, he said, the code vulnerable to this serious bug was found in a website script used to digitally fingerprint users for fraud protection.
Exploiting this bug would have been much trickier for cyber-thieves, he said, adding that it was likely that anyone interested in attacking the HMRC site would use more straightforward methods to get people to hand over information.
Zemnmez said that although finding the security issues was straightforward, tracking down people in government that could help fix them proved to be “very frustrating”.
While trying to report the issues he found, Zemnmez discovered that the UK government does run a “responsible disclosure” programme that seeks reports of problems with government sites and services.
However, he said, the fact that it was invitation-only limited its usefulness.