October 30, 2013
Until fixed on Wednesday afternoon, a security flaw in CuidadoDeSalud.gov -- the Spanish language version of HealthCare.gov -- could have allowed hackers to steal personal information from enrollees as they typed, according to three independent software developers. The Health and Human Services Department repaired the software error after Nextgov inquired about the defect early Wednesday.
HHS remedied a similar bug on the English-speaking site at some point between Oct. 4 and Oct. 10.
While citizens bemoan the online healthcare shop’s inelegant functionality, some programmers say the same clumsiness is creating vulnerabilities that criminals could exploit, especially as the site becomes more reliable and attracts more users.
The Spanish version remained faulty likely because the estimated 500 million lines of code running the marketplace are managed by multiple system administrators and reside on separate servers, said Gabriel Harrop, who examined public code through his browser’s developer tools.
HHS spokeswoman Joanne Peters said on Wednesday that personnel are mending the weakness and adding extra protections.
"We have taken great care to ensure that people's usernames and information are kept secure,” she said in an email. “We are eliminating this theoretical vulnerability by preventing users from seeing the specific reset functionality when trying to reset their password."
Personnel are correcting this specific issue by preventing the server from sending, in plain view, a unique Web session identifier to browsers, HHS officials said. The ID had been sent and stored in every user’s browser, according to outside programmers.
The core of HealthCare.gov’s technical troubles is its ad-hoc construction, they added.
The problem with making last-minute changes and adding software packages is that “if a vulnerability comes up in the future, with their code or one of the packages that they have included, they are most likely not going to be able to push an update" or devise a workaround quickly” Harrop said Tuesday afternoon, before the fix. “So just the fact that they haven’t fixed these fairly small trivial issues is not a very good sign."
He discovered the glitch within two hours Tuesday morning, after he started poking around for holes.
The so-called invisible frame injection identified could let hackers capture Social Security numbers and other confidential information that healthcare applicants enter while enrolling. Invisible frames are strings of code often used to embed clickable ad boxes on webpages. The IFrame error on CuidadoDeSalud.gov allowed unauthorized users to insert a credential-stealing file that, for example, could be set to activate when a user clicked on the "Solicitar Ahora" (Apply now) box on the homepage.
Identity theft is one potential consequence of this sort of flaw, other researchers said.
Easily finding one vulnerability in less than two hours indicates there will be ongoing security problems on Healthcare.gov as long as a patchwork system of coding and software packages remains, said the researchers, who requested anonymity because they do separate business with the government.
HealthCare.gov comprises about 10 times more lines of code than Windows XP. “There’s no way that, given their timeframe and constraints and requirements, that was all either quality or original code, so you can assume that they’ve been doing a lot of copying and pasting and just kind of rampant inclusion of any code they thought would be useful,” Harrop said.
A separate flaw in HealthCare.gov that could have exposed email and other account information was eliminated on Monday, after a private citizen informed HHS officials of the problem, Time reported.
The enormous size of the site affects “performance, which is the biggest topic on everyone’s minds right now, but it’s also a security issue because the more [upgrades] and code that you bring in, the more potential security vulnerabilities you have,” Harrop said.
Responding to such concerns, HHS officials said consumers who fill out online forms can trust that the information entered is protected by stringent standards and that the technology underlying the application process is secure.
Apparently the department was aware of security hazards ahead of the site’s debut. CNN on Wednesday obtained an internal memo from the agency responsible for HealthCare.gov, the Centers for Medicare and Medicaid Services, which was written just days before Healthcare.gov opened and warned of a "high" security risk because of limited testing.
"Due to system readiness issues, the (security control assessment) was only partly completed," the CMS memo stated. "This constitutes a risk that must be accepted and mitigated to support the Marketplace Day 1 operations."
Federal officials had announced that CMS, on Sept. 6, self-certified the hub as safe to launch after reviewing contractor assessments to ensure all potential compromises had been addressed, as is practice under federal rules.
The evaluations were not vetted by internal auditors. The HHS inspector general chose not to review the draft and final security plans before kickoff, due to limited time and resources, an IG official told Nextgov in September.
One of the independent researchers on Tuesday night left a message for HHS Secretary Kathleen Sebelius’ chief of staff about the risk of compromising personal information and provided a name and number for immediate contact.
Late Wednesday afternoon, the researcher received a call from a department employee indicating an operations person would be in touch to learn more about the issues detected, the researcher said.
The various programmers said, by that point, they felt HHS personnel had pinpointed and fixed the most severe mistakes.
October 30, 2013