IRS: Selfies Now Optional, Biometric Data to Be Deleted

The U.S. Internal Revenue Service IRS said Monday that taxpayers are no longer required to provide facial scans to create an account online at irs.gov. In lieu of providing biometric data, taxpayers can now opt for a live video interview with ID.me, the privately-held Virginia company that runs t...

GSA Bounty: Redirect on authorization allows account compromise

Login.gov had a bug in validating the redirecturi in the /openidconnect/authorize endpoint, which allowed specially crafted subdomains to be incorrectly validated when they began with a valid hostname. For example, a redirecturi with a hostname of agency.gov.example.com would validate a URL as if...

GSA Bounty: CSRF in generating a new Personal Key

Hello team, I would like to report a CSRF which would allow an attacker to change a user's personal key. Vulnerable URL- staging.login.gov POC- Use the following HTML form for performing the CSRF attack- history.pushState'', '', '/' This will redirect you to...