HealthCare.gov had a glaring security flaw that wasn’t patched until last week


(Healthcare.gov)

Administration officials knew that the Obamacare Web site posed a danger to online security days before it actually went live, according to an internal memo obtained by the AP and The Washington Post.

The memo warned that in the days leading up to the launch, the system hadn't been sufficiently tested, "exposing a level of uncertainty that can be deemed high risk."

From the text of the memo, the officials didn't appear to have a specific vulnerability in mind. Health and Human Services Secretary Kathleen Sebelius told Congress Wednesday morning that consumers' personal data was safe.

But, as it turns out, there was a specific problem with HealthCare.gov — and in contrast to Sebelius's statements, it definitely did put user data at risk. Ben Simo, an Arizona-based security researcher, discovered as late as last week a flaw in the site that would have allowed an attacker to take over a customer's whole account in the insurance hub.

According to CNN, Simo's report detailed how it was possible to guess a username and have the system confirm it existed. Then he showed how tricking the system's password-reset mechanism could give up a user's e-mail address, unencrypted. A reasonably determined attacker might then be able to use that account information against its owner, finding out the answers to recovery questions and other sensitive information.

What's more, CNN reports, when Simo tried to alert the government, the person on the other end of the line passed him to law enforcement. The security gaps weren't fixed until Oct. 25, nearly a whole month after HealthCare.gov opened for business.

Brian Fung covers technology for The Washington Post, focusing on telecommunications and the Internet. Before joining the Post, he was the technology correspondent for National Journal and an associate editor at the Atlantic.

business/technology

the-switch

Success! Check your inbox for details. You might also like:

Please enter a valid email address

See all newsletters

Comments
Show Comments
Most Read Business

business/technology

the-switch

Success! Check your inbox for details.

See all newsletters

Next Story
Andrea Peterson · October 30, 2013

To keep reading, please enter your email address.

You’ll also receive from The Washington Post:
  • A free 6-week digital subscription
  • Our daily newsletter in your inbox

Please enter a valid email address

I have read and agree to the Terms of Service and Privacy Policy.

Please indicate agreement.

Thank you.

Check your inbox. We’ve sent an email explaining how to set up an account and activate your free digital subscription.