It appears that, maybe, one of the issues I reported has been fixed today.
Last night, requests for password resets were returning the code needed to reset a password to the browser -- a code that should be sent via email without being returned to the web browser. This could enable access to the password reset functionality (which exposes security questions) with only a username. No knowledge of or access to the registered email account is needed. It looked like this:
Then, this afternoon, I got responses that no longer include the password reset code:
I am currently getting error messages (returned to the browser, but not displayed in the browser) that say "The System is down at the moment | HealthCare.gov".
I hope that the difference in behavior is due to the issue being fixed or the password reset feature being taken offline. If this was an intentional fix, this is movement in the right direction. It still doesn't excuse returning such info in the first place.
Fingers crossed... But wait, password reset is still insecure...
PS: Crossing fingers and hoping it works doesn't do much for software quality.
UPDATE 10/28: HHS has confirmed that they have fixed the password reset part of the chain of vulnerability I reported.
You can read more at: A security flaw in the original design of Healthcare.gov that could have disclosed email and other account information to hackers was eliminated Monday during an overnight fix, a Center For Medicare and Medicaid Services spokesman told TIME.