20131013

Problem ID: 5386918206108321737
Entered by: Ben Simo

Healthcare.gov exposes existing usernames and email addresses

As a fundamental principle in software system security, it is considered wrong to expose anything about protected data in a system in the error messages that are returned to those who are not authorized to access that data.

For example, if one enters an incorrect username and/or password, you do not tell them whether the username or password is incorrect. Confirming that a username exists is useful information to someone who is trying to gain unauthorized access: it allows them to narrow their attack to a known username and/or combine the username with other info to aid in guessing or otherwise gaining access to the password.  Such information is useful in social engineering.

GIVEN that not disclosing information to the unauthorized in error messages is a practice that is expected of any competent web application developer
AND that Healthcare.gov is a system many are required by law to use
AND that Healthcare.gov contains private information,
THEN let's take a look at what we get from Healthcare.gov :








FAIL!

PS: Given a real constraint on unique user names obfuscating the fact that a username exists may not be easy. However, one could at least present a more ambiguous error message along the lines of "That username is invalid. Please try another." Or, let the system generate the usernames in a way that no conflicts are created. (See comment below.)

  Edit

5 Comments:

October 13, 2013 at 6:14 PM  
Comment ID: 782082961323193635
Written by: Ben Simo

So, how does one create a unique username without exposing what other usernames exist in the system?

One approach I've seen used is to:
1) Get a username from the user
2) Generate a few random characters
3) Append those random characters to the user-provided username
4) Check if the username (consisting of user-provided and random characters) exists. If it does, try a new set of random characters.
5) Tell the user what username has been generated for them.

This mix of a user-provided name and a few randomly generated characters provides a username the user should be able to remember without exposing what usernames exist.

If you know of other approaches for protecting usernames, please share them.

October 26, 2013 at 4:52 AM  
Comment ID: 3050667787301808702
Written by: Srinivas Kadiyala

Nice Tricky approach..But in which website, have any one implemented?

October 26, 2013 at 4:55 AM  
Comment ID: 2684165394114949512
Written by: Srinivas Kadiyala

Instead of only "username is incorrect OR "password is incorrect"

Can we have "Invalid Username/Password." as error message?

What kind of error messages can we have?

October 29, 2013 at 10:57 PM  
Comment ID: 2015225717660377981
Written by: Anonymous

Knowing that user name exists I don't think is as bad as you say. This is what Google returns strait away when you try to create an account with an existing email address: "This email address already corresponds to a Google Account. Please sign in or, if you forgot your password, reset it."

October 29, 2013 at 11:21 PM  
Comment ID: 3468845097121533367
Written by: Ben Simo

Google usernames are part of public profiles. Google also offers users the option enable a 2-step account info recovery that contacts them by phone as well as email.

Healthcare.gov is a system that collects personal information that would be a goldmine for identity thieves. A system like Healthcare.gov is deserving of a higher standard. I'm not an attorney, but revealing this information appears to violate the site's own privacy policy and the Privacy Act of 1974.

Exposing usernames and email addresses contributes to making the site less secure when Healthcare.gov also:
* Keeps the same password reset code without changing it with each use attempt
* Sends usernames and password reset codes via insecure email -- together
* Reveals email addresses that go with a username
* Doesn't notify old email address of email address changes

Confirming intercepted or guessed passwords is the first step in taking advantage of many other potential security vulnerabilities.

Post a Comment