Early shakedowns of the health insurance exchange websites show they are vulnerable to cross-site request forgery, clickjacking and cookie attacks, among other risks.

Mathew J. Schwartz, Contributor

October 7, 2013

6 Min Read

9 Android Apps To Improve Security, Privacy

9 Android Apps To Improve Security, Privacy


9 Android Apps To Improve Security, Privacy (click image for larger view)

Are the health insurance exchanges -- aka "Obamacare" -- websites mandated by the Affordable Care Act safe against online attackers?

After the exchanges, also known as health insurance marketplaces, debuted Tuesday, users reported difficulty using them, to either price or sign up for insurance. At the federal level, White House officials blamed the glitches -- which persisted throughout last week -- on the large number of visitors to healthcare.gov, which saw 4.7 million unique visitors in its first 24 hours, and 9 million in total by Friday.

Sunday, however, federal officials admitted that healthcare.gov would require both code-level improvements as well as increased server capacity. "We can do better and we are working around the clock to do so," Department of Health and Human Services spokeswoman Joanne Peters told The Wall Street Journal. Forthcoming improvements will reportedly include both software and hardware changes.

[ Find out how Obamacare could change how companies offer health insurance to employees. Read Obamacare: The Rise Of Private Health Insurance Exchanges. ]

To that list of fixes, however, the federal government -- which through healthcare.gov is currently supporting or running health insurance exchanges for 36 states -- and 14 states that are running their own exchangesmight want to add a handful of information security improvements.

Here are five top concerns:

1. All-Access Request For Other Sites

According to Nidhi Shah, who works on research and development for HP's Web Security Research Group, healthcare.gov uses an HTML5 header that allows any site to make an AJAX request to healthcare.gov, then see a response. "We could not access [the] authenticated area of healthcare.gov -- the site was overloaded -- but if this is the policy applied to any authenticated page of the site, it could expose the site to serious threats like cross-site request forgery (CSRF)," Shah said in a blog post. CSRF attacks, which have a place on the SANS list of the 25 most dangerous software errors (at #12), refer to trickinga targeted website into disclosing sensitive information.

2. Clickjacking Threat

The second major healthcare.gov security concern is the site's lack of clickjacking defenses. Using clickjacking, an attacker could overlay invisible elements on the legitimate website, so that, for example, if a user clicked what appeared to be a real link, it might run a malicious script instead. "To our surprise, healthcare.gov does not deploy any defense and the site can be easily framed inside an HTML iFrame tag," Shah said. In the past, many websites have used JavaScript "framekillers" to mitigate this type of vulnerability. "However, the introduction of the iFrame Sandbox attribute in the HTML5 specification has rendered that approach useless," she said.

3. Cookie Theft

According to Shah, healthcare.gov fails to employ HttpOnly, which restricts access to cookies stored on a PC, in particular defending them against malicious scripts. The site also fails to employ secure flags for cookies, which prevents cookies from being transmitted in plaintext -- which makes them vulnerable to eavesdropping -- by only transmitting cookies after an HTTPS session has first been established.

"Healthcare.gov uses cookies to maintain user history on the site and [for] user identification," said Shah. Although she doesn't know if the cookies will also save a user's credentials, an attacker could at least retrieve "sensitive information such as ... possible health issues, income level, and marital status," she said, that most people would rather remain private.

4. Fake Sites

Which health insurance exchange sites are real? "The health insurance exchange isn't made up of a single, authoritative site where people can go and register for coverage," said Christopher Budd, threat communications manager for Trend Micro, in a blog post. "In addition to the federal site, people can apply for coverage at sites run by individual states. Then, within each state, there can also be legitimate third-party sites that provide assistance and even broker coverage," he said.

Although the federal site does use SSL to verify its authenticity, "a survey of state and third-party sites also shows that official sites aren't required to provide the ability to verify the site using SSL" -- and many don't. "As people look for health care exchanges, they're going to be faced with potentially hundreds or thousands of sites that claim to be legitimate, but [they] won't be able to easily verify that claim," except based on how a site looks, said Budd.

Accordingly, many security experts have recommended that -- just as with banking sites and PayPal, among other sites -- people never, ever click a link to the site that's in an email they've received, or use an online search to find the site. Instead, type the URL into the address bar, to avoid poisoned search results or phishing attacks. Or for healthcare, simply call one of the exchange phone numbers, or visit an office in person, recommended Budd.

5. Scam Psychology

How many people would willingly divulge not just their own social security number, but the numbers for everyone in their family? For health exchanges, that's essential information, which means consumers might soon find themselves being targeted by scammers posing as health insurance exchange brokers.

"Most of us won't give our social security numbers out willingly. But when it comes to healthcare, the industry uses that information so regularly that we've come to accept handing that information over as a matter of course -- even if we don't like it," said Budd. Accordingly, consumers should beware parting with that information, unless they've first verified the identity of the caller or website with which they're planning to share it.

Expect Marketplaces To Be Targeted

Just how risky are all these threats? In the case of the code-level flaws found by HP's Shah, she characterized the information security risks not as vulnerabilities, but rather "red flags." Budd's warnings center on scam psychology and the threat of fake websites, which already threaten numerous types of sites.

But given the high profile of healthcare.gov and other portals, as well as the sensitive information they handle, it wouldn't be surprising if identity thieves, at least, do begin probing healthcare.gov and other sites weaknesses. "The site handles the sensitive information of millions of Americans: health history, identity, tax records and more," Shah said. In short, consumers will need all the security they can get.

About the Author(s)

Mathew J. Schwartz

Contributor

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights