Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Security hole found in Obamacare website

From: InfoSec News <alerts () infosecnews org>
Date: Wed, 30 Oct 2013 06:40:49 +0000 (UTC)
http://money.cnn.com/2013/10/29/technology/obamacare-security/index.html

By Jose Pagliery
CNN Money
October 29, 2013
The Obamacare website has more than annoying bugs. A cybersecurity expert found a way to hack into users' accounts.
Until the Department of Health fixed the security hole last week, anyone could easily reset your Healthcare.gov password without your knowledge and potentially hijack your account.
The glitch was discovered last week by Ben Simo, a software tester in Arizona. Simo found that gaining access to people's accounts was frighteningly simple. You could have: 

* guessed an existing user name, and the website would have confirmed it
  exists.

* claimed you forgot your password, and the site would have reset it.
  viewed the site's unencrypted source code in any browser to find the
  password reset code.

* plugged in the user name and reset code, and the website would have
  displayed a person's three security questions (your oldest niece's first
  name, name of favorite pet, date of wedding anniversary, etc.).

* answered the security questions wrong, and the website would have spit
  out the account owner's email address -- again, unencrypted.

[...]



--
Find the best InfoSec talent without breaking your
recruiting budget! Post a Job, $99 for 31 days.
Hot InfoSec Jobs - http://www.hotinfosecjobs.com/
Previous By Date Next
Previous By Thread Next

Current thread: