HMRC Is Shite

HMRC Is Shite
Dedicated to the taxpayers of Britain, and the employees of Her Majesty's Revenue and Customs (HMRC), who have to endure the monumental shambles that is HMRC.

Friday, 9 January 2009

The Joys of Filing Online

Tax does have to be taxing.

HMRC Is Shite (, also available via the domain, is brought to you by "The Living Brand"


  1. Thanks for the video link Ken.

    Actually, you may be able to answer a question for me (as surprisingly, Google doesn't know)

    How much input (if any) do Capgemini have in to the SA system?

    I have another video prepared (but I'm relunctant to release it) which outlines some very serious security flaws in Capgemini's site.

    Although I haven't tried to replicate these bugs in the SAO environment, it wouldn't surprise me if they've made the same mistakes there too. If they have, I would strongly advise against filing online. Don't pay too much attention to the locked padlock either; it won't keep you safe against this flaw.

  2. I filed online. It took hours.

    I still got a letter yesterday telling me that the deadline for online filing was approaching.
    I rang the number and asked if they'd received my online filing.
    The operator couldn't tell me as the system was down.
    I told him how much I owed (£2.75) and asked if they wanted me to send a cheque with the paying in slip they'd sent me.
    He said it wasn't necessary as it could be carried over.
    So why did they send the bloody letter out?
    He got a bit shirty and said that the letter went to everyone regardless.
    All those letters going out, costing how much?
    Total disarray.

  3. I won't release the PoC for the XSS & SQL injection just yet... but here's a couple of screenshots.

    CapGemini XSS Flaw 1

    CapGemini XSS Flaw 2

  4. Anon,

    Your post and screenshots are a little hard to understand, but am I right in thinking that you've hacked into the CapGem website due to script flaws on the site? If this is the case and you think the same flaws may be present on the SAO site I would suggest that you alert HMRC as a matter of urgency!

    They'll probably give you an OBE or something...

  5. Anon @ 16:16PM

    Sorry, I realise that post is probably confusing...

    PoC = Proof of Concept
    XSS = Cross Site Scripting
    SQL = Structured Query Language

    The screenshots demonstrate an XSS attack because of what is frankly, awful code. An XSS attack doesn't put the site (or "secure" content) at immediate risk, but it demonstrates that a hacker could (by way of a phishing scam) acquire personal/private information about a user... completely without their knowledge.

    If you're familiar with phishing scams, you'll know that the criminal tries to acquire your details by sending you to a visually-similar site but with a different URL. These scams can fail because the URL is detected as fraudulent by modern AV apps/browsers or spotted by astute users.

    Phishing scams combined with XSS represent a very serious security issue and one which would be very difficult to monitor; as data is never passed between the client and Capgemini's server. As such, the SSL encryption (symbolised by a padlock/key) has absolutely no effect because it can only secure data between you and the relevant server.

    Remember Ken's post regarding phishing emails appearing as if from HMRC? Visiting the correct site should mean you're protected, right? Wrong. If HMRC's site (or the SA pages) can be exploited in this way, I wouldn't like to clear that mess up!

    There's nothing (yet) to suggest that the HMRC's site is vulnerable... but I'm a firm believer in "where there's smoke, there's fire". If Capgemini's own site (which I presume was written in-house) isn't secure, it doesn't fill me with confidence; especially given the content in my video.

    If this is the case and you think the same flaws may be present on the SAO site I would suggest that you alert HMRC as a matter of urgency!

    I know from experience that's a bad idea. I've been down that route with a mainstream UK bank and a popular TV shopping channel; it just opens up a huge can of worms and I could do without the hassle.

    If something goes wrong, let them find out on their own... it will make an interesting anecdote at the next HMRC award speech.

  6. Did mine at weekend.

    Yes. I did click on a help tab and get a page not found and the "any other details" box did not work. I also had to phone help desk as I could not see, having entered expenses received, where I could enter same amount legitimately incurred so I did not end up with a "benefit". Apparently I had to click a box entitled "Expenses received and not reimbursed" Since I claimed them back from the company they had been reimbursed but maybe I speak a different English. Perhaps they should go through and see how someone who is not a tax expert would understand things.

    Not too bad otherwise, as I have said before, there are far worse commercial websites out there. The big difference is that if it is too frustrating to order, say, a kitchen cabinet we can go elsewhere, we are not obliged to continue or face a fine.

    For that reason, it is not good enough for the HMRC site to just be as good as a commercial website, it should be much, much better.

  7. PS Why do HMRC pointlessly encode the subject field in emails? Nobody else does. Had to fanny around for ages to get my email archive program to read them.

  8. PS Why do HMRC pointlessly encode the subject field in emails? Nobody else does

    Can you give an example Xoggoth?

    They may use a ticketing-style system which tags each email. If the tag changes, it's treated as a new email.

    Here's something else to try...

    Go to
    Click "Terms and Conditions" at the bottom of the page (it should load)
    Then, click "Privacy Statement". It crashes.

    I could understand it if this was a brand new product... but this "system" is nearly a decade old and it still doesn't work correctly. By now, the entire process should be polished almost to perfection.

    Instead, crucial links are dead, the servers are flaky & strapped for resources and judging by these XSS & more worryingly, SQL issues with Capgemini's site... the scripts do not comply with secure coding standards.

    For instance... a site such as HMRC's should be using link aliasing rather than hard coding. If a page (or location) changes, you simply update the alias record which propagates down to all the required pages. What HMRC appear to do is create multiple different versions of the same document, host it in different places and let old links die in a non-too graceful manner. Dead links, Error 500's and server test messages do not give the impression you're dealing with a "highly professional and efficient" organisation.

    This is really basic stuff and after a £32 million price hike(compared with EDS), I think some serious questions should be asked.

  9. Hmm, Capgemini appear to have fixed one of the issues!

    The self assessment helpdesk page crashes out with a new message today...

    "Error: Access Denied"

    It's better than throwing a 500 but still some way to go.

  10. Hi Ken,

    Purely out of interest, what video software do you use to put these videos together, please?

    I'm interested because I've just set up my own business making bespoke screen capture videos.

    Many thanks,

  11. Hi Emily

    Sorry not my video, sent to me by someone else.


  12. These videos were made using Camtasia Studio and edited (for speed) using *spit* Windows movie maker.

    I've had a tax return reminder come this morning; the shredder seemed to enjoy it.