PayMaxx Closes W-2 Site after Security Hole Found

February 25, 2005 ( - Online payroll service provider PayMaxx closed its automated W-2 site this week after a researcher claimed that two security holes had exposed data on more than 25,000 people.

Aaron Greenspan, president of Think Computer, asserted in a paper posted on his firm’s Web site that the security problems at PayMaxx allowed all site viewers view the W-2 forms generated for employees of PayMaxx’s clients for the last five years, according to a CNET report.

Greenspan, a former PayMaxx customer, said he discovered the alleged problems in the company’s system more than two weeks ago, after he received notification that his W-2 tax form was available online for download and printing. He said he found the problem when the link to access the W-2 included an ID number and he wondered whether the company had protected against an obvious security problem: adding one to the ID number to get the next form.

According to the CNET News report, Greenspan found that another person’s W-2 was downloaded and readable. The vulnerability could have allowed employees at PayMaxx’s clients to access more than 25,000 W-2 forms for last year and the W-2 forms for years back to 2000, he said.

PayMaxx told CNET that a third-party security company was investigating the allegations. “No system in the world is 100% secure from a sophisticated and determined hacker,” the Tennessee-based payroll company said in a statement sent to CNET “PayMaxx has made and continues to make every effort to secure its system against any breach.”

Greenspan said his investigation also revealed that PayMaxx’s database contained a record for testing that contained a Social Security number of 000-00-0000 and a password of all zeros. That could allow anyone to log into the site and then use the lack of authentication to sequentially download all the W-2 forms, Greenspan said.

PayMaxx confirmed that the test account did exist as described in Greenspan’s paper, but took issue with other allegations. The company stated that from a review of Greenspan’s paper, it had found several of his claims to be inaccurate, but did not specify which claims.