Cyber experts question SARS’s new browser security

According to some cyber security experts, the South African Revenue Service’s (SARS’s) decision that a Web browser will support defunct Adobe Flash Player poses “significant” cybersecurity implications.

The decision by the revenue service to release a browser with Flash Player enabled, has also been condemned by many citizens who took to social media to vent their anger.

SARS released an alternative SARS browser solution this week as it tries for a resolution to the delays that occurred in migrating all eFiling data from Adobe Flash into its HTML5 platform.

According to the statement by the tax collector agency, taxpayers can still complete the Flash-based forms that haven’t been converted to HTML5 while they wait for the migration to be completed.

“The SARS Browser allows access to all eFiling forms including Adobe Flash. You can thus comply with your filing obligations.”

SARS states that the existing Web browsers like Chrome and Edge will work with all forms that have been migrated.

You need to take desperate steps

SARS has slowed down the process of migrating Flash Player, even though Adobe Software announced it would no longer support Flash Player after 31 December 2020.

The taxman stated last week that due to disruptions caused by migration, it would take appropriate actions to aid taxpayers experiencing problems.

Although the taxman had not indicated availability of a SARS Browser at that time,

Hennie Ferreira is a small business and cyber security expert. She says SARS has obviously been desperate for a way to get out of this crisis. But, there is no safe solution.

Flash Player has been removed from the list of secure technologies. Flash Player cannot be used in any way that would compromise Flash Player’s security. SARS, which uses unsafe technology to put taxpayers at-risk, is only making matters worse.

Ferreira points out that there is only one solution to the Flash Player problems. SARS should still process requests by e-mail, and they must also call their customer service centres to resolve the Flash Player issues.

SARS points out that the browser only works with Windows devices, although Ferreira said this does not include thousands of Mac users.

Jason Jordaan (principal forensic analyst, digital forensics firm DFIR Labs), comments that SARS made a poor decision to create a “new browser”, adding that this only adds confusion to the end-user.

SARS had over three years to move from Flash, and it was simply not possible for them to do so in the time they needed. As Flash was not used for many functions, they were working hard to make it happen.

SARS demonstrated the ability to move away from Flash. It is concerning that they chose to deploy a new browser, rather than fix the problem as quickly as possible. At a time where all citizens are trying to cut costs, this is unacceptable.

Risques that are not necessary

SARS states that its browser is not intended for Internet surfing. It deploys separately and can only access the SARS corporate Web site or SARS eFiling site.

Ferreira emphasizes the serious security implications. Every taxpayer who uses Flash Player in order to access the web browser is at risk. Adobe suggested that Flash Player be removed completely, or at least uninstalled. Flash Player can make computers vulnerable to hackers and is highly insecure.

“The second problem with it is the fact that it puts all of eFilling at risk. It also makes the entire system susceptible to insecure and outdated technologies.

Flash Player is not the only risk, it also opens up the potential for hackers to exploit Flash Player’s vulnerabilities and penetrate SARS systems in order to pivot additional attacks.

Jordaan warns that you should not use an obsolete product. SARS’s browser is Chromium-based. While the most recent Chromium build does not support Flash, Flash is still possible.

Respect considerations

Ferreira emphasizes that the situation is embarrassing for SARS because it knew of Flash Player’s demise.

“This is unacceptable. It clearly displays the incompetence shown by SARS IT to act this way, ignore cyber security norms/standards, and place their own systems and those of taxpayers at risk.

South African businesses must implement cybersecurity protocols under law. SARS forced them to use insecure technology, which means they aren’t POPI-compliant. The vulnerability is well-known and could expose all the personal information they handle.

Flash Player is not supported by all browsers. All major browsers removed Flash Player’s support. Flash Player presents a security risk. SARS has provided a browser that uses Flash Player even though Adobe specifically advised against it. Flash Player has been removed by Google Chrome and Mozilla Firefox as well as Microsoft Edge and Apple Safari.