Several users visiting the HM Revenue & Customs website used for self-assessment tax purposes have issued complaints that the site is not secure. Users note that when they use the website their password is actually displayed as a part of the URL which is shown in a web browser’s address bar.
The security risk is that people can take the password and use it to access someone else’s tax information which is located on the site. The field for a person’s username will auto-complete the name once you begin to type it. Because the username and password are so easy to obtain it could pose a real security issue for anyone that chooses to use the site.
To make matters worse, any time you print a document from the website the URL is also printed at the bottom of the page. Because the password is clearly visible in the URL, anyone that found the piece of paper would also find the person’s password.
An expert on security at Cambridge University, Richard Clayton, noted that the password issue was not a common practice. He said “Seeing someone’s tax return is not the same as accessing their identity, however. Though it could be a step towards doing that.”
HMRC has defended the website and has denied that a password is revealed in the URL. Instead they said that it was actually a unique taxpayer number that was displayed, and that this had nothing to do with a person’s password or username.