On the same day that he discovered a number of serious security flaws on the financial portal, Miguel de Moura, engineering student at the Instituto Superior Técnico, called the support line of the site and warned of the risk that the taxpayers' bills would be violated. But it was not until May that he could reach the "competent authorities" and it took another two months for the problem to be resolved once and for all, Exame magazine reported. "Changing someone's password, which is the most serious, took only a few seconds," Miguel Moura told Público.
The ability for anyone to use another's password to use was the most serious security mistake the 22-year-old student discovered, but it was not the only one. In two articles published on his personal website on 15 and 17 August (after Finance reportedly solved the problem), Miguel Moura explains how it was possible to access the accounts of other taxpayers and described each of the shortcomings which he encountered by the way: the possibility to obtain the telephone number of a taxpayer only with your VAT number (NIF) to change addresses in the financial portal in order to gain access to confidential data of the users.
For this it was necessary to gain access to the portal page code, a step that is accessible to every user. "Most online forms have secret fields", the student explains to Público, "in the case of a password change request from the Finance Portal, forms were prefilled with the NIF of the users, which is a normal user. but surprisingly easy to find and change. "
"The attacker did not even have to link the mobile number to someone's NIF," he says. Through the process of recovering the password and inserting the NIF of the victim, the attacker can change the password of that account and thus have access to all tax information of each of the taxpayers.