Problem ID: 6378424101237131298
Entered by: Ben Simo

Healthcare.gov email subscription system discloses Marketplace user email addresses

The Healthcare.gov account creation process is not the only system component to expose user email addresses: the email subscription management system makes it even easier to determine if an email address exists in the system.

The footer of emails from Healthcare.gov contain a link to a Subscriber Preferences Page that can be used to subscribe and unsubscribe to emails from Healthcare.gov.

Clicking the link goes to a form requesting an email address.

When I enter an email address associated with a Healthcare.gov Marketplace user account, the site shows that the email address is subscribed to a topic called "For Account Holders".  There is no challenge to verify that I am the owner of the entered email address.

When I enter an email address that is not associated with a Healthcare.gov account, I get a different response -- a form to create an email subscription account.

In providing a different response for email addresses that have Healthcare.gov accounts and those that do not, this email subscription system is revealing whether or not an email address is tied to a Healthcare.gov account. This information may be useful to attackers seeking unauthorized access to Healthcare.gov.

Oh, and when I unsubscribed from emails, I got a confirmation email telling me that unsubscribing means that I'll receive future email updates.

You unsubscribed from topics:
  • For Account Holders
You will receive an email update when new information becomes available.

Is there a problem here?



Post a Comment