I am Appalled!
Healthcare.gov reveals usernames, password reset codes, email addresses, and security questions without any authentication -- and connects all this info to the username.
If an attacker guesses a username (or intercepts it, as I've also seen my username sent without encryption in parts of the site), the site will:
- confirm existence of the username
- reveal the password reset code without access to the user's email (Fixed 10/26,10/28.)
- reveal the security questions (not answers)
- reveal the email address
The site also sends usernames and password reset codes to 3rd party web analytics and advertising companies.
This information could then be used to identify the user's real name and security question answers based on their online social activity, and/or to engage in social engineering to get the owner of the account (or their friends) to give up information needed to access the account.
I am not providing details as to how this is possible. Although what I've learned is something any competent web security professional (malicious or ethical) can find within an hour, I do not want to enable (or give the impression of enabling) others to attack the site.
This level of security is unacceptable. I have only used the site as intended (with my browser's developer tools showing me the requests it makes to the site and the responses received). I have not attempted to gain unauthorized access or provide input through interfaces other than the one displayed in a browser without developer tools enabled. We can only imagine what additional security flaws exist that might be easily found by someone with malicious intent who tries to provoke the site into revealing info.
I am now of the opinion that no one should trust Healthcare.gov with any information. The externally visible lack of security is appalling and suggests incompetence on the part of those who built it.
ReplyDeleteCompare and contrast.