TxTag trauma: state shuts down toll tag website

Posted Thursday, Apr. 10, 2014  comments  Print Reprints

Have more to add? News tip? Tell us

The Texas Department of Transportation has dismantled a portion of its toll tag website after a blogger noticed that it was leaving users’ credit card information exposed.

Last week, blogger David Longnecker of Dripping Springs wrote a post highlighting a flaw in the TxTag.org website that could allow someone to view a toll tag user’s credit card information in a page’s html code.

“This flaw exposes personal information for the … 1.2 million drivers with active TxTags, including names, full mailing addresses, email addresses, phone numbers, and credit card numbers with expiration date,” Longnecker wrote.

Within days, Longnecker noticed that TxDOT had shut down the “Update” page of the “Autopay” section of the site, which was where the personal data was exposed. Visitors to TxTag.org are currently blocked from making any updates to the autopay feature on their account.

“TxDOT is aware of the blog post and the described vulnerability,” TxDOT spokesman Bob Kaufman said Tuesday. “There were no breaches of security on the TxTag site and no customer information was accessed.”

Kaufman said the agency disabled the page and is “working on enhancements.” Users who try to access that page are encouraged to make a one-time payment instead.

“We regret any customer inconvenience as we work to further enhance the security features of our site,” Kaufman added.

Looking for comments?

We welcome your comments on this story, but please be civil. Do not use profanity, hate speech, threats, personal abuse or any device to draw undue attention. Our policy requires those wishing to post here to use their real identity.

Our commenting policy | Facebook commenting FAQ | Why Facebook?