Cybersecurity expert after finding an easy way to hack HealthCare.Gov: “This seems really sloppy”
posted at 6:01 pm on October 29, 2013 by Erika Johnsen
The many “glitches” still plaguing the ObamaCare website are making it evermore apparent that the many Congressmen, officials and IT experts warning about the potential for major security breaches in the online system were most definitely not just engaging in baseless partisan concern-trolling. If the Obama administration couldn’t even manage to execute a smooth signup process from the get-go, one shudders to think of how much effort they’ve put into safeguarding users’ privacy and security, and CNN reports that one cybersecurity expert already found a way to hack into HealthCare.Gov accounts last week:
The glitch was discovered last week by Ben Simo, a software tester in Arizona. Simo found that gaining access to people’s accounts was frighteningly simple. You could have:
-guessed an existing user name, and the website would have confirmed it exists.
-claimed you forgot your password, and the site would have reset it.
-viewed the site’s unencrypted source code in any browser to find the password reset code.
-plugged in the user name and reset code, and the website would have displayed a person’s three security questions (your oldest niece’s first name, name of favorite pet, date of wedding anniversary, etc.).
-answered the security questions wrong, and the website would have spit out the account owner’s email address — again, unencrypted. …
“This seems really sloppy,” Simo said. “Either the developers were incompetent and did not know how to do the basic things to protect user information, or the development was so fractured that the individuals building the system didn’t understand how they fit into the bigger picture.” …
Even just reporting the “glitch” apparently took some doing on his part, although the specific problem Simo points to has since been at least patched up — but it took the Obama administration and their hired guys three weeks after the rollout to finally catch it. It rather readily begs the questions of how many other overlooked security holes are just waiting to be detected by hackers — a lingering question that, on Sunday, Chairman of the House Intelligence Committee Mike Rogers suggested might mean a redesign is in order, via the WFB:
And it was very clear to me in the hearing that they do not have an overarching solid cyber security plan to prevent the loss of private information. I’m even more concerned today than I was even last week. I know that they’ve called in another private entity to try to help with the security of it. The problem is they may have to redesign the entire system. The way the system is designed, it is not secure. It is something called a boundary. Every time one agency goes to another agency with a piece of information, that is called a boundary. That’s the most — that’s the weakest, most vulnerable part of that conversation. It was clear to me they don’t have the boundaries concerned and that’s what I’m concerned about.