H&R Block at risk for injection attack.

Good thing they don’t handle any sensitive data… Oh, wait a minute. 

The tax software and preparation company H&R Block, which prepares 1 in every 7 US tax returns, doesn't sanitize their user input. I discovered this when I tried to make a login, and got the message “Please correct the following errors: Invalid JSON request.” I wasn't deliberately looking for weaknesses, but I used 1Password to generate a random password, and the character “[” happened to be in it. Aside from the relevant XKCD comic, the first thing that sprang to mind was amazement that this hadn't been found yet by either H&R Block or blackhat operators. It’s amazing that I would be the first person to find and recognize it: I have no security background and not even a degree in computer science, and I just stumbled across it casually.

With a target so potentially lucrative, and a vulnerability so obvious and easily exploitable, how had it escaped detection up until now? Has it escaped detection up until now? H&R Block doesn't know about it, or they would have fixed it (so one hopes). But there’s no way of knowing who else has found it and exploited it. Unless they got caught, or H&R Block realized the breach and disclosed it, there would likely be no externally visible evidence of an attack. Someone who was deliberately stealing data would have no incentive to announce that fact, and even if that data had already been sold and used, it wouldn't necessarily be obvious that it had come from H&R Block. “Absence of evidence is not evidence of absence” applies here, so there’s no immediate justification to assume that this has not been exploited.

Considering how amateurish this weakness is, I am ready to assume that H&R Block likely has other significant weaknesses and is not worth using even if this gets fixed. I suppose it’s lucky that H&R’s blunder was so obvious. When I see something like this, I can just go use TurboTax instead (and cross my fingers that they are any better). But what if the failure had been less visible from the front end, like storing personal information in plaintext? How can you hold companies responsible for putting personal information at risk by failing to follow best practices? How much can you do to even know whether data is being handled safely? Would it be unfair to punish developers and entrepreneurs for not knowing about something? That balance is difficult to strike when a small flaw can do so much damage, but it might be difficult to correctly attribute the damage to its source, and many mistakes are never detected. In most other fields with these characteristics, like medicine and architecture, regulation mandates credentials and adherence to certain best practices and processes for redressing harms from professional negligence. But for software and technology, that inflexibility is more likely to harm than to help, so how can we address these issues of accountability as the software profession grows and matures?

Edited to add: I can’t believe that I missed it the first time, but the page wasn’t even over https. This is the tweet with the screenshot of the page: https://twitter.com/LeeWhoLikesMath/status/452938816878149633 showing the error.