updated 08:36 pm EST, Tue January 21, 2014
Using advanced Google search, users' private information from site accessible
According to TrustedSec's chief executive David Kennedy, the security issues it reported to Congress haven't been rectified following the December re-launch of the US government's healthcare site, Healthcare.gov. To wit, the group was able to discover at least 70,000 records with personal information including full names, addresses, user names, and in some cases, social security numbers, just by using an advanced Google search. To date, the company claims, the flaws allowing this exploit and others have not been fixed.
The CEO notes that "there are a number of other [problems] that have been reported privately that continue to expose users of the healthcare.gov website. It appears that the release and launch date of the website was purely on the functional levels, not that of the security."
In a blog post by the researcher this week, he noted that the group performed "no 'hacking' or 'cracking' at all on the website. We didn't test for SQL Injection, run scanners, port scan the website, or even modify input parameters. Anything of that sort is offensive, and not within my rights or am allowed to perform. We did no active testing, or attempt to expose sensitive information or bypass any security mechanisms on the site." Nevertheless, the group was able to extract 70,000 users' personal information "using basic Google search terms and browsing through a web browser." No actual medical or healthcare-related information was discovered through the Google searching of the site, as no medical records of treatment are stored on the site.
Since the original Congressional testimony, Kennedy noted that the Department of Health and Human Services has "hired respectable companies to perform testing ... the hope is that they given enough time and are allowed to perform full scope assessments, including source code analysis, and dynamic testing." Unfortunately, he claimed in this week's blog post that "to what extent this testing has occurred is an unknown, but the fixes haven't been put in place from what we can see."