Information Security News mailing list archives
Security hole found in Obamacare website
From: InfoSec News <alerts () infosecnews org>
Date: Wed, 30 Oct 2013 06:40:49 +0000 (UTC)
http://money.cnn.com/2013/10/29/technology/obamacare-security/index.html By Jose Pagliery CNN Money October 29, 2013The Obamacare website has more than annoying bugs. A cybersecurity expert found a way to hack into users' accounts.
Until the Department of Health fixed the security hole last week, anyone could easily reset your Healthcare.gov password without your knowledge and potentially hijack your account.
The glitch was discovered last week by Ben Simo, a software tester in Arizona. Simo found that gaining access to people's accounts was frighteningly simple. You could have:
* guessed an existing user name, and the website would have confirmed it exists. * claimed you forgot your password, and the site would have reset it. viewed the site's unencrypted source code in any browser to find the password reset code. * plugged in the user name and reset code, and the website would have displayed a person's three security questions (your oldest niece's first name, name of favorite pet, date of wedding anniversary, etc.). * answered the security questions wrong, and the website would have spit out the account owner's email address -- again, unencrypted. [...] -- Find the best InfoSec talent without breaking your recruiting budget! Post a Job, $99 for 31 days. Hot InfoSec Jobs - http://www.hotinfosecjobs.com/
Current thread:
- Security hole found in Obamacare website InfoSec News (Oct 30)