5 Obamacare Health Site Security Warnings
Early shakedowns of the health insurance exchange websites show they are vulnerable to cross-site request forgery, clickjacking and cookie attacks, among other risks.
After the exchanges, also known as health insurance marketplaces, debuted Tuesday, users reported difficulty using them, to either price or sign up for insurance. At the federal level, White House officials blamed the glitches -- which persisted throughout last week -- on the large number of visitors to healthcare.gov, which saw 4.7 million unique visitors in its first 24 hours, and 9 million in total by Friday.
Sunday, however, federal officials admitted that healthcare.gov would require both code-level improvements as well as increased server capacity. "We can do better and we are working around the clock to do so," Department of Health and Human Services spokeswoman Joanne Peters told The Wall Street Journal. Forthcoming improvements will reportedly include both software and hardware changes.
To that list of fixes, however, the federal government -- which through healthcare.gov is currently supporting or running health insurance exchanges for 36 states -- and 14 states that are running their own exchanges might want to add a handful of information security improvements.
1. All-Access Request For Other Sites
According to Nidhi Shah, who works on research and development for HP's Web Security Research Group, healthcare.gov uses an HTML5 header that allows any site to make an AJAX request to healthcare.gov, then see a response. "We could not access [the] authenticated area of healthcare.gov -- the site was overloaded -- but if this is the policy applied to any authenticated page of the site, it could expose the site to serious threats like cross-site request forgery (CSRF)," Shah said in a blog post. CSRF attacks, which have a place on the SANS list of the 25 most dangerous software errors (at #12), refer to tricking a targeted website into disclosing sensitive information. Read full story on InformationWeek
Post a comment to the original version of this story on InformationWeek