11:23 AM

5 Obamacare Health Site Security Warnings

Early shakedowns of the health insurance exchange websites show they are vulnerable to cross-site request forgery, clickjacking and cookie attacks, among other risks.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)

Are the health insurance exchanges -- aka "Obamacare" -- websites mandated by the Affordable Care Act safe against online attackers?

After the exchanges, also known as health insurance marketplaces, debuted Tuesday, users reported difficulty using them, to either price or sign up for insurance. At the federal level, White House officials blamed the glitches -- which persisted throughout last week -- on the large number of visitors to, which saw 4.7 million unique visitors in its first 24 hours, and 9 million in total by Friday.

Sunday, however, federal officials admitted that would require both code-level improvements as well as increased server capacity. "We can do better and we are working around the clock to do so," Department of Health and Human Services spokeswoman Joanne Peters told The Wall Street Journal. Forthcoming improvements will reportedly include both software and hardware changes.

[ Find out how Obamacare could change how companies offer health insurance to employees. Read Obamacare: The Rise Of Private Health Insurance Exchanges. ]

To that list of fixes, however, the federal government -- which through is currently supporting or running health insurance exchanges for 36 states -- and 14 states that are running their own exchangesmight want to add a handful of information security improvements.

Here are five top concerns:

1. All-Access Request For Other Sites

According to Nidhi Shah, who works on research and development for HP's Web Security Research Group, uses an HTML5 header that allows any site to make an AJAX request to, then see a response. "We could not access [the] authenticated area of -- the site was overloaded -- but if this is the policy applied to any authenticated page of the site, it could expose the site to serious threats like cross-site request forgery (CSRF)," Shah said in a blog post. CSRF attacks, which have a place on the SANS list of the 25 most dangerous software errors (at #12), refer to trickinga targeted website into disclosing sensitive information.

2. Clickjacking Threat

The second major security concern is the site's lack of clickjacking defenses. Using clickjacking, an attacker could overlay invisible elements on the legitimate website, so that, for example, if a user clicked what appeared to be a real link, it might run a malicious script instead. "To our surprise, does not deploy any defense and the site can be easily framed inside an HTML iFrame tag," Shah said. In the past, many websites have used JavaScript "framekillers" to mitigate this type of vulnerability. "However, the introduction of the iFrame Sandbox attribute in the HTML5 specification has rendered that approach useless," she said.

3. Cookie Theft

According to Shah, fails to employ HttpOnly, which restricts access to cookies stored on a PC, in particular defending them against malicious scripts. The site also fails to employ secure flags for cookies, which prevents cookies from being transmitted in plaintext -- which makes them vulnerable to eavesdropping -- by only transmitting cookies after an HTTPS session has first been established.

" uses cookies to maintain user history on the site and [for] user identification," said Shah. Although she doesn't know if the cookies will also save a user's credentials, an attacker could at least retrieve "sensitive information such as ... possible health issues, income level, and marital status," she said, that most people would rather remain private.

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
10/9/2013 | 6:51:44 PM
re: 5 Obamacare Health Site Security Warnings
Seems like development was rushed, making security less of a priority, which is fairly shocking considering the sensitivity of the data involved.
User Rank: Apprentice
10/8/2013 | 3:32:29 PM
re: 5 Obamacare Health Site Security Warnings
Communicating healthcare reform: Helping navigate the waters. See: http://www.healthcaretownhall....
User Rank: Apprentice
10/8/2013 | 12:11:21 PM
re: 5 Obamacare Health Site Security Warnings
I don't think the lack of availability will pose a security risk. I think any failures will simply result in the site being unavailable.

Still, the domain of load management and load balancing seems pretty circa-late-1990s. Meaning that with proper prep time, all of this should have been ironed out well in advance. But as you noted in your tech critique of the insurance exchanges, owing perhaps to the timelines involved (short) and logic requirements (complex, given the complex law that the site and its workflows must accommodate), obviously too little time has been spent to ensure the site can meet projected demand.

Data quality also sounds like an ongoing challenge, with insurers reporting last week that they had seen few (if any) actual applications, suggesting that the system isn't yet as automated -- and the source data as clean -- as it will need to be.

On the flip side, in this era of agile development, perhaps there are some upsides to the current scenario? The high-profile launch, while frustrating for users, has lit a fire under development teams, and whoever is holding their purse strings. How many federal and state IT projects in the past have too often exceeded their budgets, been "over-redesigned" throughout implementation and as a result faced interminable delays, if ever reaching fruition? But is now live. The development team must iterate, refine and improve the system to the point where it should have been, prior to being launched.
David F. Carr
David F. Carr,
User Rank: Apprentice
10/7/2013 | 6:31:04 PM
re: 5 Obamacare Health Site Security Warnings
I wonder if there are risks inherent to the sites being overloaded - whether they're likely to fail under stress in a way that reveals private info
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest September 7, 2015
Some security flaws go beyond simple app vulnerabilities. Have you checked for these?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-06
libstagefright in Android before 5.1.1 LMY48T allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file, aka internal bug 21335999.

Published: 2015-10-06
Bluetooth in Android before 5.1.1 LMY48T allows attackers to remove stored SMS messages via a crafted application, aka internal bug 22343270.

Published: 2015-10-06
mediaserver in Android before 5.1.1 LMY48T allows attackers to cause a denial of service (process crash) via unspecified vectors, aka internal bug 22954006.

Published: 2015-10-06
The Runtime subsystem in Android before 5.1.1 LMY48T allows attackers to gain privileges via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 23050463.

Published: 2015-10-06
libstagefright in Android before 5.1.1 LMY48T allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file, aka internal bug 23213430.

Dark Reading Radio
Archived Dark Reading Radio
What can the information security industry do to solve the IoT security problem? Learn more and join the conversation on the next episode of Dark Reading Radio.