Vulnerability Management

The healthcare.gov website is ripe for attackers, experts say

The healthcare.gov website is slow, full of bugs and has been down a few times – all within one month of its Oct. 1 launch – and as a result it has been chastised by critics.

Last week, while attempting to use healthcare.gov to do research, software tester Ben Simo flipped on his web browser developer tools and identified a number of security issues that he found appalling.

“I quickly discovered that the main browser window would often display a status other than what was actually occurring,” Simo said in a blog post. “For example, the form submission would fail to get a response from the server, but the user interface would report that the form was submitted.”

What Simo noticed next was severe enough to be mentioned during congressional hearings on Oct. 30.

“I identified a series of steps that could be easily automated to collect usernames, password reset codes, security questions and email addresses from the system – without any kind of authentication,” Simo said, adding he would not reveal how it was possible, only that a “competent professional” should be able to figure it out.

Attackers with this kind of data can use it in any number of ways, most notably to orchestrate sophisticated phishing attacks to obtain security question answers, he explained. This information will allow the attacker to reset a user's healthcare.gov password and gain access to the account.

Simo brought light to the issues by reporting responsibly on his blog. He said he was glad that certain security issues on the website have since been rectified, most notably that password reset codes are no longer returned to the web browser.

But Simo said several issues still persist, including that the system confirms in error messages whether usernames or email addresses exist, and that it transmits both username and password reset codes via email. Additionally, password reset codes remain the same with each request, and username and password reset codes are sent to third-party analytics companies.

This means an attacker can silently change email addresses associated with accounts and that personal information used to confirm a user's identity is returned to the browser, according to Simo, who added that most of the work required to carry out these tasks can be automated.

The hits just keep coming. On Thursday, Simo updated his post to include another issue through which the system will return a username for an account by simply providing a user's real name and email address. “No other authentication is required,” he said.

Kyle Adams, a chief software architect at network solutions firm Juniper Networks, told SCMagazine.com in a Thursday email that he reviewed HTML and HTTP traffic details on healthcare.gov.

“A fair amount of backend implementation information is disclosed to the client,” Adams said. “This is generally not advisable because it allows attackers to target their attacks more efficiently. It also allows attackers to identify the architecture and find holes in the business logic and code interactions.”

Perhaps one of the biggest problems facing the healthcare.gov website is that it is run by an estimated 500 million lines of code, Avivah Litan, vice president and distinguished analyst at research firm Gartner, told SCMagazine.com on Thursday. That is about 10 times the lines of code in Windows XP, she added.

“It's simply too big a program to manage from a security perspective given the level of expertise and coordination assigned to the project as we have come to know it,” Litan said, adding that researchers have advised her the code is sloppy and elementary.

Copious amounts of personal information stored on healthcare.gov make it a goldmine for attackers, Litan said, explaining the existing vulnerabilities mixed with the new ones being discovered every day will make the website a more attractive target than banks, retailers and payment processors that hackers have already had success compromising.

“Frankly, I think the Obama administration should cut their losses and fess up and admit they need to get the system overhauled and rewritten,” Litan said. “And that is not going to take one or two months, as they say. The best they will be able to do in that timeframe is fix the performance issues. The security issues are surely much more complex. You can't just throw horsepower at them. You need intelligent software and layers of defense.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds