Answered: Sign-In Security Vulnerability: Beware

itonewbie · ‎05-05-2022

ProConnect Tax users are not the most active in this Community but for those who sign on regularly to this forum, you should be aware of the security risk and take actions as necessary.

This is a flaw that was previously highlighted to Intuit when this Community, in its current format, was first rolled out and it was fixed. But lately (and don't know when), it has resurfaced and it was brought to the attention of Intuit, who confirmed that their team "hopefully can get this fixed asap". Since it's been a week and there's been no change, it's only fair that the Community should be made aware.

This vulnerability is relevant to only ProConnect Tax users, AFAIK. If you use the same Intuit account for both this Community and ProConnect Tax (which many, if not most, probably do), signing into this Community will also log you in automatically to ProConnect Tax (even though it has a totally different URL). Unbeknownst to you, this flaw exposes you to an enlarged attack surface for potential hackers, however low that risk may be. You wouldn't want to leave your bank account logged in while you're not using it, why would tax pros want to take a chance with ProConnect Tax? The fact that Intuit decides not to address this as a matter of priority is very concerning.

In the meantime, I would suggest that each time you log into this Community, open another tab for ProConnect Tax, and log off from ProConnect Tax manually. Interestingly, this flaw works only in one direction - logging off from ProConnect Tax will not sign you off this Community.

@IntuitBettyJo @IntuitGabi Could you please escalate this again to the right parties and confirm when this will be fixed? Many thanks!

---------------------------------------------------------------------------------
Still an AllStar

itonewbie · ‎05-07-2022

@IntuitGabi Just one more thought on Intuit's response about ecosystem. The concerns here are not with ecosystem but the flaw in that design, which is not fit for purpose.

Forget about us being number crunchers or mere users here, many of us are actually business consultants. We work with businesses to design, implement, and improve systems, processes, and communication. Optimization is about helping a company meet its objectives in ways that are efficient but yet mitigate various potential risks. In this case, while linking this Community, which is not part of the professional tax/accounting products suite either in fact or in use, may seem expedient, it serves only to elevate security risks to unsuspecting users. What would make more sense, in terms of ecosystem development, would be to allow automatic login from within ProConnect Tax (and QBO), to better integrate the help/support function - but not the other way round.

Intuit's responses to this issue are just another example of how counterproductive the support structure is. First, they keep moving the goal post. From (1) saying it will be fixed asap to (2) letting it slip into a black hole to (3) dismissing that login to the Community would also sign in to ProConnect Tax to (4) rationalizing that it is part of the design of the ecosystem. Second, instead of examining the merits of the concerns, they would simply dismiss them in one fell swoop by insisting that it is working as designed without even the slightest attempt to address the underlying problems that had been raised.

I always wonder how the Intuit executives would react if they ever spend any time on this forum. Or perhaps I just have too much faith because I am forever an optimist (until I am proven wrong - like now).

This will be my last post on this thread. It is a total waste of my time and effort. I know what to do to keep myself secure - just not so sure other unsuspecting users would.

---------------------------------------------------------------------------------
Still an AllStar

View solution in original post

IntuitGabi · ‎05-05-2022

Hi @itonewbie
We're working towards making all Intuit accounts to be synced. One account and one sign-in for multiple products or URLs is working as designed.
Logging into the community will not log you into your ProConnect Tax online account unless you are already signed into your ProConnect Tax account.

I agree that logging out of an online account manually is a great practice for security. Meanwhile, I'll do some research on the inactive logout time frame for ProConnect Tax.
Thanks for reaching out!

itonewbie · ‎05-05-2022

@IntuitGabi wrote:

Logging into the community will not log you into your ProConnect Tax online account unless you are already signed into your ProConnect Tax account.

That's not correct. Would you like me to post screenshots? I have tried it on multiple machines, on different platforms, and with different browsers. I stand by what I stated.

I am quite savvy with tech and know a problem when I see one. I always test my observations before making any statement.

---------------------------------------------------------------------------------
Still an AllStar

IntuitGabi · ‎05-05-2022

You're correct that logging out of one is does not log you out on others.

When you're away from the site and you don't sign out, do you receive pop-ups that you've been inactive in ProConnect Tax?

itonewbie · ‎05-05-2022

@IntuitGabi The problem is that signing on to this Community will log user into ProConnect Tax automatically. This is the only focus of my post.

---------------------------------------------------------------------------------
Still an AllStar

itonewbie · ‎05-05-2022

I'm aware of the OIA initiative. But the problem is that this Community is NOT part of Intuit's professional products. And that is why signing into this Community will also NOT log you into accounts.intuit.com. Question then is why signing into this Community would log users into ProConnect Tax automatically?

---------------------------------------------------------------------------------
Still an AllStar

IntuitGabi · ‎05-05-2022

I understand, thank you for the details.
'Logging into the community will log you into your product', I can't confirm or deny if this is what we're aiming for. I understand what you mean by the products vs community.

I'm often logged into the community, I accessed ProConnect earlier today and it prompted me to sign-in and I received a text verification.

Thanks for bringing this up! I'll get some information for us.

itonewbie · ‎05-05-2022

ProConnect Tax would prompt you to log in only if you had already logged out from a previous season.

Try logging out from all sites, then log into the Community, and open ProConnect Tax. You'll see what I mean. It happens every time without fail.

---------------------------------------------------------------------------------
Still an AllStar

IntuitGabi · ‎05-07-2022

Currently the sign in portion is by design based on the Intuit ecosystem. When signing into community, ProConnect Tax or QuickBooks users will not be prompted to sign in again because a sign in to the 'ecosystem' has been initiated via community.

We're looking into the sign out experience on the community, an expired page is displayed which will need attention.

itonewbie · ‎05-07-2022

@IntuitGabi wrote:

We're looking into the sign out experience on the community, an expired page is displayed which will need attention.

With all due respect, the sign out experience on this community should not be a priority. It's the automatic sign-in to ProConnect Tax (and QBO) that should be a concern.

---------------------------------------------------------------------------------
Still an AllStar

itonewbie · ‎05-07-2022

@IntuitGabi Just one more thought on Intuit's response about ecosystem. The concerns here are not with ecosystem but the flaw in that design, which is not fit for purpose.

Forget about us being number crunchers or mere users here, many of us are actually business consultants. We work with businesses to design, implement, and improve systems, processes, and communication. Optimization is about helping a company meet its objectives in ways that are efficient but yet mitigate various potential risks. In this case, while linking this Community, which is not part of the professional tax/accounting products suite either in fact or in use, may seem expedient, it serves only to elevate security risks to unsuspecting users. What would make more sense, in terms of ecosystem development, would be to allow automatic login from within ProConnect Tax (and QBO), to better integrate the help/support function - but not the other way round.

Intuit's responses to this issue are just another example of how counterproductive the support structure is. First, they keep moving the goal post. From (1) saying it will be fixed asap to (2) letting it slip into a black hole to (3) dismissing that login to the Community would also sign in to ProConnect Tax to (4) rationalizing that it is part of the design of the ecosystem. Second, instead of examining the merits of the concerns, they would simply dismiss them in one fell swoop by insisting that it is working as designed without even the slightest attempt to address the underlying problems that had been raised.

I always wonder how the Intuit executives would react if they ever spend any time on this forum. Or perhaps I just have too much faith because I am forever an optimist (until I am proven wrong - like now).

This will be my last post on this thread. It is a total waste of my time and effort. I know what to do to keep myself secure - just not so sure other unsuspecting users would.

---------------------------------------------------------------------------------
Still an AllStar

TaxGuyBill · ‎05-07-2022

@IntuitGabi wrote:

Currently the sign in portion is by design

So you are saying it is designed to have a security flaw?

TaxGuyBill · ‎05-07-2022

@itonewbie wrote:

I know what to do to keep myself secure

Use non-Intuit software? 🤣

Sign-In Security Vulnerability: Beware

©1997-2024 Intuit, Inc. All rights reserved.

Intuit, QuickBooks, QB, TurboTax, and Mint are registered trademarks of Intuit, Inc. Terms and conditions, features, support, pricing and service options subject to change without notice.

By accessing and using this page you agree to the Terms and Conditions.