20131017

Healthcare.gov email subscription system discloses Marketplace user email addresses

The Healthcare.gov account creation process is not the only system component to expose user email addresses: the email subscription management system makes it even easier to determine if an email address exists in the system.

The footer of emails from Healthcare.gov contain a link to a Subscriber Preferences Page that can be used to subscribe and unsubscribe to emails from Healthcare.gov.





Clicking the link goes to a form requesting an email address.





When I enter an email address associated with a Healthcare.gov Marketplace user account, the site shows that the email address is subscribed to a topic called "For Account Holders".  There is no challenge to verify that I am the owner of the entered email address.





When I enter an email address that is not associated with a Healthcare.gov account, I get a different response -- a form to create an email subscription account.




In providing a different response for email addresses that have Healthcare.gov accounts and those that do not, this email subscription system is revealing whether or not an email address is tied to a Healthcare.gov account. This information may be useful to attackers seeking unauthorized access to Healthcare.gov.


Oh, and when I unsubscribed from emails, I got a confirmation email telling me that unsubscribing means that I'll receive future email updates.

You unsubscribed from topics:
  • For Account Holders
You will receive an email update when new information becomes available.

Is there a problem here?

No comments:

Post a Comment