Beyond a glitch: massive security hole found in Obamacare site software
**Posted by Phineas
Yet another reason to feel secure in the knowledge that the government is forcing people into this system under penalty of law:
Until the Department of Health fixed the security hole last week, anyone could easily reset your Healthcare.gov password without your knowledge and potentially hijack your account.
The glitch was discovered last week by Ben Simo, a software tester in Arizona. Simo found that gaining access to people’s accounts was frighteningly simple. You could have:
- guessed an existing user name, and the website would have confirmed it exists.
- claimed you forgot your password, and the site would have reset it.
- viewed the site’s unencrypted source code in any browser to find the password reset code.
- plugged in the user name and reset code, and the website would have displayed a person’s three security questions (your oldest niece’s first name, name of favorite pet, date of wedding anniversary, etc.).
- answered the security questions wrong, and the website would have spit out the account owner’s email address — again, unencrypted.
Armed with the account holder’s email address, a person with malicious intent could easily track down their target on social media, where they’d likely discover the answers to those security questions.
It wouldn’t have even taken a skilled hacker. Anyone with bad intentions — and a minimal understanding of how to read a website’s code — could have figured it out. While such an attack might not have yielded your Social Security number or health information, it would have exposed your address and phone number.
But, don’t worry. Rest easy. They’ve fixed that problem… After the site had been operating for three weeks.
Remember, there’s never just one roach.
(Crossposted at Public Secrets)