I logged into Healthcare.gov with Internet Explorer 10 and selected the "MY PROFILE" option. I was surprised to see that it showed that I had no email address, phone number, address, or state selection in the system. I had previously provided all of this information.

I tried to add my email back onto my account and got an error message.

I then tried to select a state and got an error message.

So, I then take a look at the network traffic using the browser's developer tools in hopes that I might see more information about whatever error condition has made my information disappear.  I am surprised to see that my username is in the URLs of some of the requests. (Sorry, I've masked my username in the images.)

I then look at the details of each of the requests that contain my username and encounter another surprise: some of the requests are sent over HTTP instead of HTTPS. HTTP is not secure and can easily be intercepted. Healthcare.gov is sending usernames over insecure HTTP. This could easily give people with malicious intent information useful in accessing accounts without authorization.

Additionally, some of these insecure HTTP requests include cookies -- cookies that contain information about you and your usage of Healthcare.gov.

For example, the history cookie contains data like the following. I don't know what other info it may contain, but the mostly-empty data structure here suggests it may contain information that should be kept private.
[{"url":"/","data":{"tags":[],"topics":[],"audience":[],"status":[],"state":[],"condition":[]}},{"url":"/exemptions","data":{"tags":["promote","individuals"],"topics":["rights-protections-and-the-law","health-insurance-marketplace","health-insurance-basics"],"audience":[],"status":[],"state":[],"condition":[]}},{"url":"/creating-an-account-and-logging-in","data":{"tags":[],"topics":[],"audience":[],"status":[],"state":[],"condition":[]}},{"url":"/apology/404.html","data":{"tags":[],"topics":[],"audience":[],"status":[],"state":[],"condition":[]}},{"url":"/marketplace/individual","data":{"tags":[],"topics":[],"audience":[],"status":[],"state":[],"condition":[]}}]
And, as another example, the quickAnswers cookie contains some high-level demographic information that is entered during the application process.
{"audience":"family","age":"30to64","state":"Arizona"}



 
 
 
 
 
 
 
 
 
 
 

0 Comments:
Post a Comment