20131013

Problem ID: 4018056419863693885
Entered by: Ben Simo

Healthcare.gov's email validation system is fundamentally flawed: FIXED

FIXED: As of 11/05 (maybe sooner), this issue has been fixed. The last step of account creation no longer sends the email verification code (also the password reset code) to the user's browser. This fix should now prevent people from activating accounts using others' or fake email addresses.




At the end of the Healthcare.gov account creation process, they send an email to the provided email address that contains a URL to activate your account.  Email verification systems like this are common and help ensure the person who creates an account on a system actually owns the email account.

However, Healthcare.gov's email validation is fundamentally flawed. It is flawed in that it returns the email verification code (the one that is emailed) to the browser. This enables people with malicious intent to create a Healthcare.gov account with another's email and activate it without receiving the verification email.





The design of this email verification system suggests it was created by someone with no understanding of the purpose of what they built.

  Edit

1 Comment:

November 10, 2015 at 7:59 AM  
Comment ID: 2268873425413562335
Written by: Unknown

Amen to the fundamentally flawed! I attempted to create a healthcare.gov account in June 2015. I never received a verification email from my account creation. I'm a computer systems engineer with 30+ years experience so I am by no means your average user. Prior to creating new registrations I clean the spam folder housed on my ISP's server and clean the junk folder in my email client. That way if any emails get trapped in one of those locations as a result of creating a new registration the emails are easy to find in a very short or empty list. We all know spam just keeps coming.... Now if you don't receive the verification email there is absolutely nothing that the healthcare.gov people can do to regenerate a verification email. A major oversight of the Business Analyst doing used cases for failure modes. Dozens of request to have the situation resolved have gone nowhere.

Post a Comment