20131014

Healthcare.gov is returning stack traces to the browser

I login to Healthcare.gov and discover that my data has disappeared again. It says I have no email, phone, address, or state set. The application page also shows none of my information.




I then take a look at the web traffic between my browser and the servers, and see that one of the requests returned an HTTP 500 error -- an Internal Server Error.  I then look at the error response and discover that it contains a history of five stack traces.

A stack trace shows the recent history of internal processes executed by the computer -- in this case, a Healthcare.gov server. To software developers, this information is useful in determining what occurred and fixing errors. To attackers with malicious intent, this information may be useful in understanding the internals of the system -- understanding that might aid them in an attack.

Secure systems do not expose this information.


No comments:

Post a Comment