Friday, January 24, 2014

Security Expert: Attacker Can Host Any Content Under Healthcare.gov Umbrella

    A security expert who has testified before Congress and spoken in the media about vulnerabilities in the Healthcare.gov website has weighed in on the website's latest security issue, which was first reported Thursday by THE WEEKLY STANDARD.  David Kennedy, the CEO of TrustedSec, an information security firm, said that the unintended opening at Healthcare.gov detailed in Thursday's story would allow malicious scammers to fool users with a "website that’s legitimate to make them believe its something else."  He said the existence of this potential pitfall on the site is "absolutely amazing," and added that "an attacker can basically create a functioning website and host any content they want there and under the umbrella of healthcare.gov."
    At issue is the profile feature of the data.healthcare.gov section of the website that allows anyone to set up a custom made page intended to host "data-sets" based on the insurance plan information database on the website.  Users can sort, group and otherwise manipulate the data to create unique presentations based on various criteria.  However, the lack of disclaimers and other safeguards allow marketers, or worse, scammers and identity thieves, to establish what appears to be legitimate Healthcare.gov webpages which can be used to redirect users to other sites.
    A fuller explanation of the problem, complete with examples of offending profiles, can be found in Thursday's story; but an example of how the profile feature can be misused was set up for this story and can be seen here:

    The feature even made it possible to upload a clipping of an actual Healthcare.gov graphic to give the page an even more genuine look.  Experienced users of the data-set feature would not be fooled, but unsuspecting users directed to the page by a link beginning with "https://data.healthcare.gov" contained in an email or another website could easily be duped into believing they had accessed a government sanctioned webpage.  Links contained in the profiles contain no disclaimers or warnings and could be used to redirect users to sites where personal and financial information could be harvested.
    TrustedSec's Kennedy noted that by Friday morning, the ability to create a data-set profile via the Healthcare.gov website had been removed since the original story ran on Thursday. However, he pointed out that this may not solve the problem.  Profiles can still be set up at opendata.socrata.com, the website that facilitates the data-set function for Healthcare.gov.  It is not clear at this time, however, if those new profiles can be accessed publicly with a data.healthcare.gov address.  Accounts set up before Friday are still accessible at Healthcare.gov.
    Kennedy also pointed out that other profiles have been set up for simply comic purposes at the site.  One is titled The Bieb, complete with Justin Bieber's recent mug shot.  Another is called William "I love bacon" Shakespeare with a picture of the bard looking quite shocked.  However, the real possibility of innocent users of Healthcare.gov having their personal information or identities stolen is no laughing matter.  The longer the profile feature remains inadequately safeguarded and monitored, the more likely that someone simply looking for health insurance will get far more, or rather lose far more, than he bargained for.

UPDATE: Shortly after this story posted Friday morning, Healthcare.gov disabled access to all data-set profiles.  Attempts to view a profile are redirected back to data.healthcare.gov.  However, cached pages of the profiles are still available at archive.org, such as here and here.

Note: A version of this post first appeared at The Weekly Standard.

No comments:

Post a Comment