The Texas Department of Transportation has dismantled a portion of its toll tag website after a blogger noticed that it was leaving users’ credit card information exposed.
Last week, blogger David Longnecker of Dripping Springs wrote a post highlighting a flaw in the TxTag.org website that could allow someone to view a toll tag user’s credit card information in a page’s html code.
“This flaw exposes personal information for the 1.2 million drivers with active TxTags, including names, full mailing addresses, email addresses, phone numbers, and credit card numbers with expiration date,” Longnecker wrote.
Within days, Longnecker noticed that TxDOT had shut down the “Update” page of the “Autopay” section of the site, which was where the personal data was exposed. Visitors to TxTag.org are currently blocked from making any updates to the autopay feature on their account.
“TxDOT is aware of the blog post and the described vulnerability,” TxDOT spokesman Bob Kaufman said Tuesday. “There were no breaches of security on the TxTag site and no customer information was accessed.”
Kaufman said the agency disabled the page and is “working on enhancements.” Users who try to access that page are encouraged to make a one-time payment instead.
“We regret any customer inconvenience as we work to further enhance the security features of our site,” Kaufman added.