The Canadian tax authority has shut down public access to online services amid fears that a flaw in a widely used encryption method could be used by cyber criminals to access sensitive taxpayer information.

The Canada Revenue Agency said the discovery of the “Heartbleed bug”– a serious vulnerability in OpenSSL software – had led it to temporarily prevent taxpayers from using the site “to safeguard the integrity of the information we hold”.

The agency said it was trying to restore online services to ensure private information, as the shutdown comes just three weeks before the deadline for filing personal income tax.

“The Canada Revenue Agency places first priority on ensuring the confidentiality of taxpayer information,” it wrote in a statement on its website. “Please be assured that we are fully engaged in resolving this matter and restoring online services as soon as possible in a manner that ensures the private information of Canadians remains safe and secure.”

The bug, announced by security researchers from Codenomicon and Google Security earlier this week, is in the software used to secure about two-thirds of all websites including Google, Amazon, Yahoo and Facebook.

The technology companies have rushed to update the software, which fixes the problem, but no one can yet tell whether hackers have been able to exploit the vulnerability that has existed since 2011. The flaw allows hackers to read everything in a computer’s memory, potentially exposing web traffic, user data and stored content.

The Canada Revenue Agency is unlikely to be the only government agency to use the OpenSSL language, although a list compiled by developers on the site GitHub suggests that very few of the “.gov” sites are vulnerable.

Michael Coates, director of product security at Shape Security and chairman of the Open Web Application Security Project, said governments around the world would have to deal with the vulnerability.

“Any government server that is vulnerable to Heartbleed should be assumed to be under active attack,” he said. “Public tools are available to determine if a site is vulnerable …These tools can be used by governments to aid detection and patching of the issue.

“However, malicious attackers can use these same tools to quickly find and exploit the vulnerability on government systems.”

Cyber criminals range from the opportunistic and often not highly skilled hackers buying tools off the internet, to so-called advanced persistent threats which are often nation states, targeting companies to steal their intellectual property.

Darien Kindlund, director of threat research at FireEye, said it had not yet seen any advanced persistent threats trying to take advantage of the flaw. But he said he believed it was “likely” they would in the “near future”.

Cyber security experts have recommended that users of affected services – most people who use the internet – change their passwords after the service has updated its software.

Trey Ford, global security strategist for Rapid 7, a US cyber security company, said if users were not sure if the site had been updated yet, it was best not to log in to accounts as the password would be stored on a server accessible by hackers.

“The challenge is that you need to change your password after the affected service has taken the necessary steps to mitigate the risk on their side. It doesn’t hurt to change it immediately, and then change it again after the services are updated, but remember: do not reuse passwords,” he said.

“We’re hopeful that larger service providers will all be patched within the next 24-48 hours, and you should definitely change your password once that happens.”

Get alerts on Companies when a new story is published

Copyright The Financial Times Limited 2020. All rights reserved.
Reuse this content (opens in new window)

Follow the topics in this article