Medical Apps Come Packaged with Hardcoded CredentialsMedical Apps Come Packaged with Hardcoded Credentials
A trio of static accounts in EMR and billing software from DocuTrac can lead to serious vulnerabilities in sensitive data bases.
March 14, 2018
Two popular applications for medical records management contain hidden user accounts with hard-coded credentials that could be abused by hackers, a researcher has found.
Rapid7 today published a report on the newly discovered security vulnerabilities (CVE-2018-5551 and CVE-2018-5552) in DocuTrac's electronic medical record (EMR) software QuicDoc and Office Therapy billing software. DocuTrac software runs at some 5,000 healthcare practices, including county and state mental health facilities, employee assistance programs, behavioral health, and other facilities.
Three user accounts are created when the software is installed, and these accounts have high levels of access to the database, according to Rapid7, who handled the vuln disclosure on behalf of the independent researcher who discovered the flaws. The administrator setting up the software is neither warned of these accounts' existence nor has an option to change the passwords.
In addition, QuickDoc and Office Therapy use a single, hard-coded salt string for encryption. It's not clear precisely how much of the data stored by the system is encrypted, according to Rapid7, but it is clear that whatever is encrypted is less secure than it should be.
DocuTrac has been notified of the vulnerabilities and has not yet released a patch. In the meantime, Rapid 7 recommends limiting physical access to systems that can be used to log into the applications.
Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.
About the Author(s)
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
The State of Supply Chain Threats
What Ransomware Groups Look for in Enterprise Victims
How to Use Threat Intelligence to Mitigate Third-Party Risk
Concerns Mount Over Ransomware, Zero-Day Bugs, and AI-Enabled Malware
How Enterprises Are Managing Application Security Risks in a Heightened Threat Environment