amenex wrote:
"The website uses the ASP server-side programming language, which requires a Microsoft server, and the sourcecode of the website expects Internet Explorer (IE 11)."


I suggest finding out a bit more about what versions of Windows and ASP the website is running on, and what known vulnerabilities haven't been patched in those versions. I'd be very surprised if you can't find some genuine security risks in a website optimized for a browser released in 2013, based on a proprietary scripting language created by 1990s Microsoft.

Come up with a few examples of how your Blackhat Evil Twin could use those vulnerabilities to catastrophically mess with your health provider. 3-5 examples should do, including things like using the website to tunnel into the internal network and copy the client database, or hijacking the Windows server to send trojans to every email address in the database, disguised as password reset requests.

Send that information to the risk assessment department of the insurance company that insures your health provider, with a copy cc'd to their IT department. Tell the insurance company that the best way to permanently fix these vulnerabilities is to migrate the website to a modern infrastructure, which supports web standards in a vendor-neutral fashion. Let the inherently risk-averse nature of the insurance industry do the pestering for you.

Optional step:
If they show no signs of taking action, post your research here, with a strict warning that nobody should even think about posting the info anonymously on 4Chan. Yes, I've been watching too much Mr Robot ;)

Reply via email to