Cyber experts question SARS’s new browser security

Cyber security experts believe that the South African Revenue Service (SARS)’s decision to launch a Web browser which supports Adobe Flash Player, has had “severe” implications for cyber security.

Social media was also used by citizens to voice their disappointment at the decision of the revenue agency to launch a browser which enables Flash Player.

SARS has announced that it will release an alternative SARS browser to address the delays in migrating all eFiling form data from Adobe Flash to the HTML5 platform.

The tax collection agency stated that taxpayers would be able submit Flash forms, which have not been migrated to HTML5, while the migration is completed.

The SARS browser allows you to access all forms of eFiling, even those that require Adobe Flash. This will allow you to comply with your filing obligations.”

SARS also states that all forms that have been migrated will be supported by existing Web browsers like Edge and Chrome.

Take desperate measures

SARS delayed the completion of the migration even though Adobe, a software company, announced that Flash Player would cease to be supported after 31 December 2020.

Last week, the Taxman announced that it will take remedial steps to help taxpayers who are still having problems due to the disruption caused in part by the ongoing migration standoff.

The taxman did not mention a SARS browser as a solution to the interruption caused by Adobe Flash’s discontinuation at the time. However, it has indicated that SARS is now available.

Hennie Ferreira, a cyber security expert and small-business specialist says that SARS is clearly desperate for a solution. However, it isn’t safe at the moment.

Flash Player is no longer considered a safe technology. Flash Player can be used to solve any problem that Flash Player may have. SARS makes matters worse, I believe by using unsecure technologies taxpayers are at risk.

Ferreira explains that the Flash Player issue can only be solved by not using it. SARS should handle all inquiries via email and call centers manually until the problem is fixed with the eFilling.

SARS states that the browser works only with Windows, which Ferreira claims excludes thousands of Mac or Linux users.

Jason Jordaan is principal forensic analyst for digital forensics company DFIR Labs. He comments on how it wasn’t a wise decision by SARS to publish a new browser and adds that confusion only comes from the user.

SARS needed Flash migration for over 3 years and simply didn’t get it done on time. It was something they had been doing for a while, as Flash is no longer required for a lot functionality.

SARS had shown that they were capable of moving away from Flash and was able to do so. I worry that the deployment of a new browser rather than fixing the problem, which they knew about, on time is inefficient. This is a time when everyone in the country is expected to tighten their belts.

Avoid unnecessary risk

SARS claims its browser can’t be used for Internet browsing because it is a standalone application that only allows access to the SARS Corporate Web site and the SARS eFiling web site.

Ferreira stresses that security consequences are serious. It puts taxpayers who use Flash Player for the browser at risk from cyber attacks. Adobe advised to either remove Flash Player entirely or uninstall Flash Player as Flash Player is not secure and can lead to cyber-attacks.

The second issue is that the system also puts the whole eFilling system in danger and exposes the system to outdated, unsecure technology.

The risks do not lie only with the Flash Player forms, hackers can also use Flash Player’s weaknesses to hack into SARS’s systems to launch further attacks.

Jordaan points out that it is risky to use a discontinued product. SARS released a browser that is Chromium-based. Although Flash support has been removed from the current Chromium build, Flash can still be run.

Considerations for compliance

Ferreira says that this is an embarrassment to the nation for SARS, as the agency was aware of Flash Player’s discontinuation.

This is unacceptable and clearly shows the incompetence of SARS’s IT department. They ignore cybersecurity norms and standards, and risk their systems as well as taxpayers’.

According to the POPI Act in South Africa businesses are required by law to have cyber security protocols implemented or they face severe consequences. SARS forces them to use unsecure technology. This means that they’re not POPI compliant. There is a known vulnerability which isn’t being addressed. It can put all of their personal data at risk.

All major browsers have stopped supporting Flash Player, and they removed Flash Player from their programs. Flash Player poses a security threat. SARS does the opposite and provides a browser which continues to use Flash Player despite Adobe explicitly telling everyone to stop. Flash Player support was removed from Google Chrome, Mozilla Firefox and Microsoft Edge.