Credit Cards of Drivers in Texas Exposed Due to Vulnerability in TxTag Website

TxTag website vulnerable

Last week, security researcher David Longenecker identified a vulnerability in the Texas Department of Transportation’s website that exposed users’ details, including their credit card data.

TxTag is the system that enables drivers to travel on toll roads throughout Texas without having to worry too much about paying the tolls. There are around 1.2 million accounts on

According to the expert, hackers could have easily gained access to names, mailing addresses, phone numbers, email addresses, credit card numbers and expiration dates. The problem lies in the fact that TxTag accounts are only protected by a 4-digit PIN.

“ uses predictable account names – an 8-digit number beginning with the number 2. Account holders may select a custom account name, but the original 8-digit TxTag number assigned to the account remains valid,” the researcher explained.

“Further, limits users to a 4-digit numeric PIN. That in and of itself is a recipe for abuse. To make matters worse, TxTag inexplicably stores the complete credit card number with expiration date as a hidden field on the Update AutoPay Methods page.”

Previous research has shown that most users will select “1234” when asked to choose a 4-digit PIN. Other common variants are “1111,” “0000” and “1212.” This means that it’s probably not difficult to guess a user’s PIN.

“Given a predictable account name and a list of high-frequency PINs, it would not take an attacker long to gain access to thousands of accounts,” Longenecker noted.

“Having access to the account, one could access the account holder’s personal information, license plates, makes and models of the registered vehicles, and credit card information; one could also add additional vehicles for which tolls would be billed to the unsuspecting victim.”

The expert says there’s no evidence that the hacking method he uncovered has been used by cybercriminals, but considering how easy it is to pull of an attack, it wouldn’t be surprising if it has.

Longenecker has reported his findings to TxTag and the Texas Department of Transportation, but none of the organizations responded. However, in an update posted on Monday, the expert revealed that the website underwent scheduled maintenance during the weekend.

It’s uncertain if they’ve completely patched the security hole, but for the time being, when users access the Update AutoPay Methods page, they’re presented with a message that reads, “We are currently undergoing maintenance.”

We’ve reached out to TxTag to see if they can comment on the researcher’s claims. The article will be updated if they respond to our inquiry.

Additional details on the TxTag hack are available on David Longenecker’s website.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s