Skip the navigation

Researcher sounds alarm on state health exchange security

Cursory review of three sites shows them to be buggy and easily exploitable

November 7, 2013 07:14 AM ET

Computerworld - Several state healthcare exchanges established as part of the Affordable Care Act (ACA) appear buggy and easy to attack, a security researcher warned this week.

Kyle Adams, chief software architect for Juniper Networks' Junos WebApp Secure intrusion detection technology, said a cursory examination of some state health insurance sites revealed coding issues that make the sites vulnerable to attackers.

Adams says he didn't have to conduct penetration tests or even log in in to the sites to discover the problems. Instead, he identified potential security issues merely by reviewing the HTML and HTTP traffic between his computer and the websites using a web debugging proxy tool.

"[The sites] produced errors suggesting that the developers did not properly handle specific conditions," Adams said. "They are built in such a way as to almost attract attackers."

Most of the security concerns to date surrounding the ACA health exchanges center on the federally run Healthcare.gov website, which has suffered from a series of performance issues ever since it went live Oct. 1. Less attention has been paid so far to the 15 state-run healthcare exchanges in states like Massachusetts, Connecticut, Maryland, Vermont, New York and Washington.

With a few exceptions, the state run exchanges have fared better than Healthcare.gov, at least in allowing people to enroll in healthcare plans. Problems reported on these sites are mostly related sometimes to backend issues.

However, a review of three state-run exchanges found security problems as well, Adams said. "I did some light investigation on some of the health care websites, including Kentucky, Vermont, Maryland and the federal HealthCare.gov sites and quickly identified areas that would be attractive to attackers."

Using the debugging proxy, Adams looked at how each site interacted with his browser in response to simple requests like loading a new page.

He quickly discovered that the sites were serving up a lot more information than needed to fulfill the requests. A few of the interactions going on in the background were coming back with errors and unnecessary information, Adams added.

The sites appears to be needlessly interacting with the underlying servers and pulling up information, such as that related to the login process even though no attempt was made to log in to any site. "There were a lot of requests issued in the background. It was really weird. Things like user records were coming back with no records," Adams said.

"In all cases, except Maryland, a fair amount of backend implementation information was disclosed to the client," Adams noted. "This is generally not advisable, because it allows attackers to target their attacks more efficiently. It also allows attackers to identify the architecture and find holes in the business logic and code interactions."



Our Commenting Policies