http://www.forbes.com/sites/kashmirhill/2014/01/15/so-you-found-an-obamacare-website-is-hackable-now-what/
By Kashmir Hill
Forbes Staff
1/15/2014
Two months ago, L.A.-based security researcher Kristian Erik Hermansen was
signing up for Obamacare via the Covered California site. Given his
background in finding vulnerabilities in software and websites, spotting
security flaws is second nature to him so he couldn’t help but notice
problems with the California site, which has seen the most registrations
for healthcare in the country.
The technical problems with the website set up for the Affordable Care Act
have been well-documented and security flaws have been discovered. When
critics started calling the main federal Obamacare site a “hacker’s dream”
though, people rightly pointed out that the more sensitive information —
social security numbers, incomes, and birthdates — is instead in the hands
of the state-level portals. That of course is exactly what the Covered
California site is. Hermansen discovered a vulnerability that would allow
someone to take over another person’s account on the California site, and
review or change the information entered there. He tried contacting
Covered California “at least 15 times” by email, phone or chat about the
problem, but got no response for over a month. “They must have been
overwhelmed by people seeking help with the site,” he says.
On December 24, he finally got through by phone to a Covered California
representative and he explained the issues he’d found, but they remained
unfixed and he didn’t hear back from them. Given that it was Christmas,
that’s not terribly surprising. But Hermansen, frustrated that the flaw
had been out there for over a month already, decided two days later to
release a video of the exploit to YouTube and posted it to a security
sub-Reddit. That got the attention of a Covered California lawyer who
contacted him to take the video down, and also flagged it with YouTube; it
was soon removed. The lawyer’s tone was contrite in the email. “I am sorry
no one responded to you earlier,” he wrote. “We will have to figure out
where or how your prior message to us got lost.”
Hermansen then spoke by phone to the lawyer and a chief security person.
“They were not interested in talking about the security issues but about
getting the video or any other online mention of the flaw taken down,” he
says.
[...]
--
Subscribe to InfoSec News
http://www.infosecnews.org/subscribe-to-infosec-news/
