Obamacare Website Still Contains Flaws: Security Expert


The problem-plagued HealthCare.gov website has gotten a green light this week following operational improvements and bug fixes, but a noted security expert who testified to a Congressional committee about security flaws in the Obamacare website said it continues to contain weaknesses that can be exploited by cybercriminals.

"Out of the concerns, a number of undisclosed exposures have still not been addressed and exist today," wrote David Kennedy, CEO of TrustedSec, in response to those endorsing the website this week. "Regardless of beliefs, political views, or stances, the website continues to incorporate poor security practices and should be addressed as soon as possible."

Kennedy, a software security expert and former chief information security officer at ATM machine manufacturer Diebold Inc., heads the Strongsville, Ohio-based solution provider and security consultancy that specializes in penetration testing and risk assessments. In a Nov. 19 testimony in front of the House Committee on Science, Space and Technology, Kennedy said his passive analysis of the HealthCare.gov website uncovered dozens of holes that could potentially be used to gain access to user data.

[Related: Obamacare Site Disaster: 10 Steps Solution Providers Would Take To Fix It]

The Department of Health and Human Services issued a progress report on Dec. 1 indicating that more than 400 bug fixes had been made. Hardware upgrades also provided stability and performance improvements, the agency said.

The website continues to contain security weaknesses that could allow an attacker to gain user information through a sub-site that integrates with HealthCare.gov. Kennedy said a malicious script could potentially enable an attacker to gain access to an account holder's full name, email, user ID and profile. A number of other flaws also expose account holder data and have been reported privately, according to Kennedy.

"It appears that the release and launch date of the website was purely on the functional levels, not that of the security," Kennedy wrote.

The HealthCare.gov website continues to contain multiple open redirect vulnerabilities. Redirects in a website must validate the parameters of the Web application before sending the redirect code to a user's browser. Failing to validate the parameters of the application could help fuel phishing attacks, enabling cybercriminals to get users to visit malicious sites without realizing it, according to the Open Web Application Security Project.

In one attack scenario, Kennedy said a targeted email could be sent to account holders prompting them to visit HealthCare.gov. The message would look legitimate but would instead redirect users to a malicious site, he said. Gillis Jones, an independent security researcher who conducted analysis of HealthCare.gov, detected one of the open redirect bugs, which was recently fixed. Kennedy said the HealthCare.gov website and supporting sub-sites continue to contain other similar open redirect vulnerabilities.

Security flaws are solvable, but vigilance is needed because hackers will attempt to find weaknesses, said Alex Brown, CEO of Chicago-based 10th Magnitude, Inc., a firm that provides cloud-based application development, migration and maintenance services. Security flaws are abundant in all software, but they can be limited by having people who design and architect Web applications appropriately, Brown said.

"Certainly the experts are right to raise concern because the issues they're raising are real issues, but I wouldn't jump to a panic on what is being pointed out," Brown told CRN. "All of this stuff is fixable."

Brown said security often is an afterthought for organizations that don't have compliance requirements. Some firms know the site they are building isn't processing sensitive data or credit card information, he said.

"For many clients, speed and usability are the biggest requirements, and security is not quite as significant," Brown said. "We know how to engineer for a level of compliance and security, but you have to do it up front, and our other clients who process financial transactions or personal information understand the critical necessity of security."

John Steven, internal chief technology officer at Dulles, Va.-based software security firm Cigital, told CRN that the security weaknesses could expose the insurance industry to additional risk. Steven said the data exposure associated with the site could create a window into health insurance companies that attackers can use to breach the companies' systems.

"This problem is not going to go away, not only for HealthCare.gov but for the government in general," Steven said.

In addition, Kennedy has pointed out that the HealthCare.gov testing exposed test domains to the Internet, enabling Google and other search engines to crawl, cache and index the testing data. This can provide information to cybercriminals creating an attack.

Software developers use a test server to test a domain, and occasionally the test server is exposed to the Internet. Google has a process that developers can use to remove URLs from its results. Occasionally experts say it can take up to a month for the search engine's crawlers to attempt to revisit a test domain and remove it once it is no longer visible to the Internet.

Associate Editor Sarah Kuranda contributed to this report.

PUBLISHED DEC. 3, 2013