20131013

Healthcare.gov sent my username and more over insecure HTTP

I logged into Healthcare.gov with Internet Explorer 10 and selected the "MY PROFILE" option. I was surprised to see that it showed that I had no email address, phone number, address, or state selection in the system. I had previously provided all of this information.




I tried to add my email back onto my account and got an error message.




I then tried to select a state and got an error message.




So, I then take a look at the network traffic using the browser's developer tools in hopes that I might see more information about whatever error condition has made my information disappear.  I am surprised to see that my username is in the URLs of some of the requests. (Sorry, I've masked my username in the images.)




I then look at the details of each of the requests that contain my username and encounter another surprise: some of the requests are sent over HTTP instead of HTTPS. HTTP is not secure and can easily be intercepted. Healthcare.gov is sending usernames over insecure HTTP. This could easily give people with malicious intent information useful in accessing accounts without authorization.




Additionally, some of these insecure HTTP requests include cookies -- cookies that contain information about you and your usage of Healthcare.gov.



For example, the history cookie contains data like the following. I don't know what other info it may contain, but the mostly-empty data structure here suggests it may contain information that should be kept private.
[{"url":"/","data":{"tags":[],"topics":[],"audience":[],"status":[],"state":[],"condition":[]}},{"url":"/exemptions","data":{"tags":["promote","individuals"],"topics":["rights-protections-and-the-law","health-insurance-marketplace","health-insurance-basics"],"audience":[],"status":[],"state":[],"condition":[]}},{"url":"/creating-an-account-and-logging-in","data":{"tags":[],"topics":[],"audience":[],"status":[],"state":[],"condition":[]}},{"url":"/apology/404.html","data":{"tags":[],"topics":[],"audience":[],"status":[],"state":[],"condition":[]}},{"url":"/marketplace/individual","data":{"tags":[],"topics":[],"audience":[],"status":[],"state":[],"condition":[]}}]

And, as another example, the quickAnswers cookie contains some high-level demographic information that is entered during the application process.

{"audience":"family","age":"30to64","state":"Arizona"}

There might be other information in the cookies that should be kept private, but I did not dig into the possible meanings of the data in the cookies.  Session cookies could possibly be intercepted and used to authorize the system as you from another system.

This is a huge security flaw. It is a very basic security principle that you do not send private information over HTTP. Usernames to a big government system that people are required by law to use should be treated as private information. However, Healthcare.gov is sending such data over HTTP without any encryption. 

This give me more reason to doubt that the folks who built Healthcare.gov take security seriously. And by not taking security seriously, they are disrespecting every American who needs to use their system.

Perhaps there are more security flaws swarming around whatever error condition leads to the site not being able to display or set my account information.

No comments:

Post a Comment