one digital life

I found a serious security bug in H&R Block’s online tax software

4.9.2008 – 3:34 pm

UPDATE (4.12.08): The bug mentioned here has been resolved. Read the post and the updates at the bottom for the entire story.

I’ve been using H&R Block’s online tax services to do my taxes this year. While corresponding with one of their tax professionals through their online message center, I discovered a very serious security hole in their software. I won’t describe the exact steps here because I don’t want anyone to take advantage of this, but by clicking through the tax software in a specific order, I found that all of the messages in my message center were replaced with random messages between other customers and their tax pros. Many of these messages contained confidential information and had very sensitive attachments, like W2s and other financial documents, that I was fully able to download. The process of doing this is repeatable, so it’s definitely a bug.

I tried reporting this to H&R Block, but I don’t think I was very successful. Here’s how it went…

I called the H&R Block tech support number and spent 20 minutes on hold. A young woman finally answered and said, How may I help you? I explained that I was calling to report an urgent issue, where I could see other customer’s private information in my message center. Her only response was to give me another phone number to call.

I called the new number and spent another 20 minutes on hold. A young woman finally answered and said, How may I help you? I explained that I was calling to report an urgent issue, where I could see other customer’s private information in my message center. Her only response was, So… how may I help you? I repeated that I was calling to report a serious bug in their system to which she replied, I can open a support ticket for you, if you like? At this point I asked for her supervisor. After 40 minutes on hold, the supervisor came on the line and said, How may I help you?

By now, I’m pretty pissed off. I can’t believe I just spent an hour and a half on the phone trying to relay this issue and I’m no closer than I was when I started. I gave the supervisor the facts, and he asked me for my username. He logged into my account, but for whatever reason the screens he sees are different than the ones that I see, so he couldn’t click on the required items. My only option was to verbally describe the screens and steps required to reproduce the bug. He put me on hold for a few minutes, and then came back on and thanked me for reporting this issue. That’s it.

When I relayed the procedure to the supervisor, I rattled it off fairly quickly. I actually expected him to escalate the issue to a higher level tech support and I would be repeating it in more detail to someone else. But, he didn’t, at least not with me still on the phone. He didn’t appear to be taking any notes either, so I don’t know if he actually got it or not. It’s possible they were recording the call, but there was no standard message about that at the beginning, so I don’t know.

In addition to the security bug itself, I can’t believe I had such a hard time communicating the seriousness of this problem. Not only is H&R Block potentially screwing its customers, but they’re also opening themselves up to a giant lawsuit. One thing is for sure… I will NOT be using H&R Block Online again next year.

UPDATE (4.10.08): I don’t know if my support call yielded any results, but I did forward this blog post to the tax pros I had interacted with through the H&R Block website, and they are taking action. I was contacted by two different support people and we ran through the procedure to replicate the bug. They’re looking into it now. I’ll continue to update this post with any new information I receive.

UPDATE (4.11.08): H&R Block has informed me that they’ve identified the cause of the bug and are working on the fix now. They hope to have it implemented by late tonight. I’ll be testing this later to confirm the fix. They’re also doing research to determine how many people may have been impacted by the bug. They told me that initial data suggests it was a relatively small number of users. I’ll update this post when I know more.

UPDATE (4.12.08): This morning I tested the system on my account and my girlfriend’s. Everything appears to be fixed.

Although this whole thing started out a bit rocky due to undertrained phone-support employees, I am glad to see that once the word reached the right people they did take swift action in solving the problem. To some degree I guess this incident is a testament to the power of blogging. I can’t say this with absolute certainty, but I personally believe that forwarding this post to the tax pros I worked with did more to get this resolved than my phone call to tech support.

In the interest if absolute transparency, I should also mention that in return for the trouble I had with tech support, and my assistance in trouble-shooting the system, H&R Block did refund the cost of this years return and offered me free tax preparation for next year.

2 Comments comment

| Posted in » General

Adobe Drops Giant Turd on Director Community

3.27.2008 – 9:47 pm

Adobe Director 11

Like many others, I’ve been patiently waiting for ~~Macromedia~~ Adobe to update Director for quite some time now. The product hasn’t seen an update since 2004, and even that one wasn’t that hot. After years of no news whatsoever, Adobe finally announced Director 11 in February, and it began shipping this past Tuesday.

My first reaction to Director 11… Adobe, you should be ashamed of yourself for charging money for this piece of crap!

If you’re a Director user, the $299 upgrade basically buys you official support for Windows Vista and Intel Macs. That’s it! Any other (minor) features boasted by Adobe are over-hyped and under-delivered. For all practical purposes, this release should have been called Director 10.2, and given to us as a free update. As evidence to how little has actually changed in Director, the first thing the app does when you launch it is phone home to Macromedia.com.

In terms of Mac support, the new Director is extremely limited. Although Director 11 shipped 6 months after Leopard, Leopard is not officially supported for authoring or playback. For authoring, Director 11 only supports 10.4 on an Intel Mac. Director 11 does support playback on PPC based Macs, but also only on 10.4… nothing older, and nothing newer. I have done some preliminary testing running Director 11 under Leopard, and so far everything seems to work OK. There is no word from Adobe on when Director will officially gain Leopard support.

One other item that should be mentioned about Director now being able to run natively on Intel Macs is, none of your existing Xtras will work. All previous (Mac) Director Xtras are PPC only. You’ll need to get updates for all of those before they’ll work with Director 11.

Adobe also now boasts, “support for more than 40 video, audio, and image file formats”. Of course, they won’t tell us what formats those are exactly. I can’t find a list anywhere. I guess it’s up to us to guess. I can tell you 2 that are NOT supported… PDF, and Flash video (flv). I was shocked by this! Considering the fact that those two formats are core components of Adobe’s distribution system, how could they not build in support? Adobe Illustrator is also not one of those mysterious 40 formats, which is surprising since Adobe announced full Creative Suite compatibility when they first announced Director 11. They’ve since removed that statement from their site.

There’s just one last complaint I want to voice. This one is extremely minor, and pretty nit-picky, but I think it illustrates Adobe’s commitment to Director… They couldn’t even be bothered to make a custom folder icon like they do for all of their other applications. How freakin lazy is that?

My best advise… if you don’t really need Vista or Intel Mac support right now, then don’t bother buying Director 11. Unfortunately, I had to. :(

1 Comment

| Posted in » Software

Song made entirely of Mac OSX system sounds

2.26.2008 – 9:22 pm

Mike Solomon is a New York City based graphic designer, photographer, and musician who decided it was time to compose an entire song out of Mac OSX sound effects…

“As if all the sound effects of the Mac OSX interface weren’t annoying enough, I decided to take things a step too far. Enjoy!”

You can even download the Garage Band file and mashup a new version for yourself.

YouTube Link | via Swiss Miss

Oh, and for you PC users, here’s one made entirely of Windows system sounds. It’s actually quite good.

3 Comments comment

| Posted in » Apple, Just for Fun, Music, Art, & Design

Vote for me at JPG Magazine :)

2.4.2008 – 12:39 pm

Sophia

I normally only post my photos to my photoblog, but I submitted this image to issue #15 of JPG Magazine, for the Noir theme, and I’m hoping to elicit some votes. :) If you’re a member of the JPG community, and you like my image, please give it your vote. Voting closes on February 15th, 2008.

Description of Noir Theme From JPG Magaine: “The dark and brooding images that evoke everything from films of the past to the haunted streets of the night. Noir is about the black and the white, the grainy imperfection of the world.

Photos submitted to this theme don’t have to be in black and white”

No Comments comment

| Posted in » Personal

Sprout Builder: Drag-and-drop WYSIWYG Flash Widget Builder

2.1.2008 – 5:37 pm

[ YouTube Link ]

I recently finished some work for a new startup here in San Francisco called, Sprout. I built this movie for them (above).

Their product is called Sprout Builder. It’s an easy to use drag-and-drop, WYSIWYG Flash interface for building live, interactive multimedia content that can easily be added to any web page. Basically, they’re widgets… or as they call them, Sprouts. They introduced the Sprout Builder at the DEMO conference on January 29th.

I have to admit, when they first approached me to make the movie, I thought to myself… another widget maker, big woop. But, when I started to play around with the Sprout Builder I realized that they’ve actually made a pretty cool tool, with a lot of power, that is easy for just about anyone to use. It’s way ahead of anything else out there right now.

With Sprout Builder you can build relatively simple things like rss feed readers or countdown Sprouts (widgets), but you can also build very complex multi-page, interactive micro-sites, using just the pre-built components that they give you. The Sprout Builder has its own drawing and text tools, but you can also upload (or link to) your own images, video, audio, etc… The Sprout Builder has an intuitive interface, that will be familiar to anyone who has used tools like Photoshop, or Powerpoint.

Unfortunately, the Sprout Builder is currently in Closed Beta, so not everyone can get their hands on it just yet. But, you can sign up on the site to be notified when it’s opened up to everyone. If you have a website, it’s worth checking out.

Check out these reviews to see what others are saying about Sprout…

TechCrunch
Mashable
Webware
ReadWriteWeb

Oh, and as long as I’m talking about this, I might as well through out some shameless self-promotion. After all, from what I hear the movie has been pretty well received. If you’re interested in having me produce some marketing material for you, feel free to contact me through my online portfolio site.

3 Comments comment

| Posted in » Software, Technology, my work