In a video obtained exclusively by Fairfax Media, Liew demonstrated how downloading a PDF letter from the tax office by clicking on a link within the myGov mailbox creates a "cookie" which logs the user into ato.gov.au. (In this case, cookies are used to authenticate the "single sign-on" process, or SSO, whereby the user only has to login once with myGov to access multiple linked services, such as tax, Medicare and Centrelink.) myGov is a portal which provides single sign-on (SSO) to access multiple services from linked government agencies. Credit:YouTube Because clicking on the PDF link didn't actually open a browser page at ato.gov.au and therefore a page was never closed, the cookie did not expire, meaning the next user who logged in to myGov and clicked on a link to ato.gov.au saw the previous user's records. "I've just spent about an hour on the phone to four myGov technical support people to explain to them that there is a serious bug on the myGov website that will expose another person's ATO information if they share the same computer and browser," Mr Liew said in his video. "This is very common [to share computers] in workplaces and public libraries however none of them seems to be able to understand what I was trying to say."

The ATO said this week it had fixed the problem, however Mr Liew removed the video from YouTube after the department raised security concerns. Security researcher Nik Cubrilovic found gaping holes in the myGov website more than a year ago. Credit:Andrew Meares DHS has been asked to clarify whether the flaw was present across other government services such as Medicare or Centrelink. Security analyst Ty Miller said this was a "strong possibility". Another analyst, CQR Security founder Phil Kernick, also said it was possible. An ATO spokesperson did not directly respond when asked how long the flaw had been active for. However, they said the ATO was aware of "very limited circumstances" where the flaw could have occurred: if the first user didn't sign out of the ATO website (or the session didn't automatically time out) before they logged out of myGov, and if both such users were using the same device and browser.

"This issue does not occur on all types of devices," the spokesperson said. "We continue to investigate to ensure no other errors are occurring." A DHS spokesperson said there was "no flaw" in myGov and that the problem lay with the ATO. Mr Kernick also said the responsibility to delete cookies lay with the services plugging into myGov, and not with myGov itself. Broader problems

But security researcher Nik Cubrilovic said the cause of the vulnerability was rooted in the architecture of myGov and its SSO process, and the "very basics" of authenticating a user. "This is an architectural flaw—there are better methods for having SSO where logging out once at myGov would also log you out of any other site," Mr Cubrilovic said. "I'm ... not comfortable with the blame shifting [from DHS to ATO]. It suggests that the culture that led to this bug and previous bugs is still prevalent at the department and that more issues are a matter of when rather than if." The ATO spokesperson said the department "worked with DHS to design its online services in the context of the myGov website". Mr Cubrilovic last year revealed a separate security flaw with myGov, also relating to cookies, which allowed user accounts to be hijacked.

In a document sent to DHS and seen by Fairfax Media, he outlined no less than 12 security issues with the myGov portal and gave recommendations as to how they could be fixed. One-and-a-half years later Mr Cubrilovic said half of the recommendations had still not been implemented. "In my original report there were recommendations to shorten the time that cookies are valid, to change the cookie type so that it couldn't be stolen and to unset them properly, but none of these were taken up," he said. The flaw uncovered this week could also be replicated remotely—i.e. not necessarily only affecting people using the same computer and browser—if someone gained access to the user's cookie, he said. Mr Cubrilovic said he was "not 100 per cent confident" in the way the ATO had implemented a fix for the new bug, because there was "still so much that can go wrong".

"A proper fix for this issue would be to re-architect the SSO process," he said. Difficulties reporting bugs The most simple of Mr Cubrilovic's recommendations from last year was to have a clear point of contact for users to report website bugs. Mr Liew said he posted a video on YouTube documenting the flaw because attempts to report the bug via myGov and ATO customer service channels had resulted in him being hung up on twice. One staff member even told him to reboot his computer, he said. In his video Mr Liew described speaking to four separate myGov support staff over an hour, none of whom were able to log the issue and direct it to security. He then rang ATO support, only to be told to contact myGov.