The developer found the data after checking the check "Checks" - from March it can be traced all their purchases made in Internet services.
The source code of some of the services of the Federal Tax Service (FTS) has been in public access, and the data of users on purchases - under a possible threat of leakage. This conclusions came the user "Habra" Anton Piskunov.
The developer drew attention to the check "Checks" application. It allows you to get and store cash checks in electronic form, check the conscientiousness of the seller, send complaints to it and so on, reported to the FTS.
Using the application, the user can scan the QR code on the electronic check, which sends the fiscal data statement (OFD) after completing the order in any service or store. For example, after ordering in Yandex.ied, Piskunov came the check from Yandex OIS.
After scanning, an electronic copy of the check with full data on the order appears in the appendix. On March 4, 2021, the developers updated "check checks" by adding the "Display of Checks from the" My Checks online "function."
If you take authentication in the check "Check Check" application, specifying a phone number attached to the services like "Yandex.edi", "Taxi", "scooter" and others, in the "My Checks" section will automatically display all checks for all operations in these Services.
Piskunov decided to check how all these data were protected well. To do this, he put in the gap between the Internet and the application of a simple proxy and, recording the network activity of the application, "Pumbled into the buttons."
"It turned out that the endpoint with the data is located at the address ickt-mobile.nalog.ru:8888, which lives the simplest app on Nodejs using the Express framework. The user authentication mechanism allows you to data if you correctly indicated the "Sessionid" header, the value of which is some self-deficent token generated on the server side, "adds piskunov.
If you press the "Exit" button in the check "Checks" application, the token disability does not occur, it continues. Also, the user cannot see all its sessions or complete them on all devices. "Thus, even if you somehow understood that the access token was compromised, then there is no possibility to reset it and thereby guarantee from this moment the lack of an intended attacker access to your data," the developer writes.
He also noticed that in the case of the KRASH of the application, it sends the diagnostic data in the Sentry, located at the address not related, nor from the FTS, nor FSUE GNIIVC FTS of Russia (the developer "Checks check" - VC.RU), and on the Sentry domain .studiotg.ru.
After that, he found references to the Studiotg public repositories on the Gitlab, which are located in the Google Index, according to the developer, more than a year. In the repositories, he found folders containing adjustments "LKIO", "LKIP", "LKUL". They belong to the same-nameed services of the FTS on the domain nalog.ru - lkio.nalog.ru, lkip.nalog.ru and lkul.nalog.ru.
"For reconciliation that the detected sources do relate to the FTS services, a simple check of the presence of the Uppod-styles.txt file on the battle web server, which could not be there an accidental coincidence," writes Piskunov.
He concluded that the actual developer of the check "Checks" - Studiotg. The "Studio TG" website, which is engaged in IT consulting and software development, among the projects are the "personal account of the taxpayer" from the FTS.
Piskunov also believes that the company's fault, the source code of the tax service code is in public access. The editorial office of VC.Ru sent a request and expects comments from the FTS and Studio TG.
# News # FTS
A source