TxTag trauma: state shuts down toll tag website

04/09/2014 5:46 PM

04/10/2014 1:22 PM

The Texas Department of Transportation has dismantled a portion of its toll tag website after a blogger noticed that it was leaving users’ credit card information exposed.

Last week, blogger David Longnecker of Dripping Springs wrote a post highlighting a flaw in the TxTag.org website that could allow someone to view a toll tag user’s credit card information in a page’s html code.

“This flaw exposes personal information for the 1.2 million drivers with active TxTags, including names, full mailing addresses, email addresses, phone numbers, and credit card numbers with expiration date,” Longnecker wrote.

Within days, Longnecker noticed that TxDOT had shut down the “Update” page of the “Autopay” section of the site, which was where the personal data was exposed. Visitors to TxTag.org are currently blocked from making any updates to the autopay feature on their account.

“TxDOT is aware of the blog post and the described vulnerability,” TxDOT spokesman Bob Kaufman said Tuesday. “There were no breaches of security on the TxTag site and no customer information was accessed.”

Kaufman said the agency disabled the page and is “working on enhancements.” Users who try to access that page are encouraged to make a one-time payment instead.

“We regret any customer inconvenience as we work to further enhance the security features of our site,” Kaufman added.

Join the Discussion

Fort Worth Star-Telegram is pleased to provide this opportunity to share information, experiences and observations about what's in the news. Some of the comments may be reprinted elsewhere on the site or in the newspaper. We encourage lively, open debate on the issues of the day, and ask that you refrain from profanity, hate speech, personal comments and remarks that are off point. Thank you for taking the time to offer your thoughts.

Commenting FAQ | Terms of Service