Cyber experts question SARS’s new browser security
Some cyber security experts say the South African Revenue Service’s (SARS’s) decision to introduce a Web browser that supports defunct Adobe Flash Player has “severe” cyber security implications.
Citizens have also taken to social media to express their dismay at the revenue service’s decision to roll out a browser that enables Flash Player.
This week, SARS announced the release of an alternate SARS browser solution, as it tries to deal with the aftermath of the delay in migrating all eFiling forms from Adobe Flash to its chosen HTML5 platform.
In its statement, the tax collecting agency says taxpayers will be able to complete and submit the Flash-based forms not migrated to HTML5, in the interim, while it completes the migration.
“The SARS browser enables access to all eFiling forms, including those that require Adobe Flash, thus maintaining compliance with your filing obligations.”
SARS adds that existing Web browsers such as Chrome and Edge will continue to work for all forms already migrated.
Even though software company Adobe announced in July 2017 that it will stop supporting Flash Player post 31 December 2020, SARS has been behind in completing the migration process.
As a result of the disruption caused by the migration holdup, last week the taxman said it would implement some remedial actions to assist taxpayers still experiencing issues.
At the time, the taxman didn’t point to a SARS browser among its list of solutions to deal with the disruption caused by the discontinuation of Adobe Flash, but has now indicated its availability.
Cyber security and small business expert Hennie Ferreira says SARS is obviously desperate for a solution; however, the current solution is not safe.
“Flash Player is no longer a secure technology and any solution that involves using Flash Player is not secure. I think SARS is making the matter worse by putting taxpayers at risk by using unsafe technologies.”
Ferreira highlights the only solution around the Flash Player issues is to not use it at all. “SARS should process all requests via e-mail and their call centres manually until they have fixed the eFilling system.”
SARS notes the browser is currently compatible with Windows devices only, a move that Ferreira says still excludes the thousands of Mac and Linux users.
Jason Jordaan, principal forensic analyst at digital forensics firm DFIR Labs, comments that it was not a good decision on the part of SARS to release a “new” browser, adding that it just contributes to confusion on the part of the end-user.
“The bottom line is that SARS had well over three years to migrate from Flash and they simply did not get it done in time. They had certainly been working on it as a lot of functionality was no longer dependent on Flash.
“SARS clearly had the capability to transition away from Flash, and had demonstrated that they could do so successfully. My concern is that deploying a new browser instead of simply fixing the problem (that they were aware of), on time, is an ineffective use of resources, at a time when all of us in the country are expected to tighten our belts.”
SARS says its browser cannot be used for general Internet surfing, as it deploys as a separate application and can only be used to access the SARS eFiling Web site and SARS corporate Web site.
Ferreira emphasises that the security implications are severe. “It places every taxpayer, who still needs Flash Player to use the browser, at risk of cyber attacks. Adobe recommended to remove Flash Player completely or to uninstall it as it is insecure and will open computers up to cyber attacks.
“The second problem is that it also places the entire eFilling system at risk and makes the entire system vulnerable by using outdated and insecure technologies.
“The risks are not only on the forms that use Flash Player, but also creates the possibility for hackers to use Flash Player’s vulnerabilities to penetrate SARS’s systems and pivot further attacks from there.”
Jordaan notes that using a product that is no longer supported carries risks. “The browser that SARS has released is a Chromium-based browser, and while the latest Chromium build has Flash support removed, it is possible to still enable Flash to run.”
Ferreira stresses that the situation is a national embarrassment for SARS as it was well aware of the discontinuation of Flash Player.
“This is not acceptable and it clearly demonstrates the incompetence from SARS’s IT department to act in this way and ignore cyber security norms and standards and put their own systems and taxpayers’ systems at risk.
“Businesses in South Africa, under the POPI Act, are obliged to implement cyber security protocols by law or face serious consequences. By being forced to use insecure technologies by SARS, this means they are not POPI-compliant as there is a well-known vulnerability that is not being addressed and can place all personal information that they process at risk.
“There is a very good reason why all major browsers stopped supporting Flash Player and removed it from their software. Flash Player is a security risk. SARS is doing the opposite by providing a browser that continues to use Flash Player, despite Adobe clearly instructing everyone not to do so. Google Chrome, Mozilla Firefox, Microsoft Edge, Apple Safari, Opera Browser, and pretty much any other safe browser, discontinued its support for Flash Player.”