Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/20/2013
03:34 PM
Gunter Ollmann
Gunter Ollmann
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Healthcare.gov Security Hiccups

Take two aspirin and call me in the morning

Senior penetration testers used to say that if you wanted to practice on a live Internet website and not get into any trouble, then pick a porn site. Even if you were caught by the site owners, they'd never prosecute and, if they did, the court of public opinion would be on your side.

Today it looks like there's a new candidate for honing your hacking skills: the website of President Obama's flagship Affordable Care Act.

Healthcare.gov has been subject to a barrage of attacks, both online and in the media, ever since appeared online. This week, the site has a portion of the media hot under the collar due to a few client-side flaws and an expectation that recorded attack attempts should have been scrubbed from some prefill search results.

For the public reading these stories, many are bound to think that someone's limb had been torn away by a pack of rapid wolves, and surgeons were desperately trying to sew the victim back together. In reality, it's more like dealing with a hangover from the night before, where the cure is a good old aspirin.

Essentially, two vulnerabilities are being talked about this week. The most visible is merely a reflection of how people have been trying to hack the website, and how the contextual prefill of the search box lists the most common attack strings folks have been throwing at it. It's amusing, really.

The site developers appear to have done a good job sanitizing the input (i.e., replacing potentially malicious characters with their safe HTML counterparts), but they could have probably saved themselves the present grief had they simply dropped certain strings from making it to the prefill candidate list. They appear to have applied some prefill filtering in the past to prevent common swear words from appearing, and have now (since this media frenzy started) added many of the strings more commonly associated with SQL injection since the issue was pointed out. For example, the following no longer appear if you type a semi-colon:

The second vulnerability has to do with the way the client-side script components of the website handle HTML characters as they're typed into the search box (and, no doubt, other areas of the site if you were to go hunting for them). In essence, the client-side scripts get a little confused. While potentially annoying for people having a poke at the website in their bug-hunting quest, it's nothing to be concerned about by those actually intent on using the site for what it's supposed to do.

I've heard a few people point out that the combination of these two bugs could potentiallybe exploited in a cross-site scripting attack, but you have better odds of being hit by a meteorite.

For all of the faults in the site that have been pointed out in the past month, this latest batch only merits a one-shoulder shrug.

-- Gunter Ollmann, CTO IOActive Inc.

 

Gunter Ollmann serves as CTO for security and helps drive the cross-pillar strategy for the cloud and AI security groups at Microsoft. He has over three decades of information security experience in an array of cyber security consulting and research roles. Before to joining ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Jeff Stebelton
50%
50%
Jeff Stebelton,
User Rank: Strategist
11/21/2013 | 6:38:26 PM
re: Healthcare.gov Security Hiccups
Trusted Sec stated in their report that they found several critical issues with the Web site that they could not release under responsible disclosure principles. This was noted in the report they submitted to the House of Representatives Science, Space and Technology Committee hearing.

The other three researchers concurred, rather emphatically, if you watched the hearing. Perhaps it would be prudent to wait until the site is fixed and the researchers can release the information on the other issues they found before dismissing their findings. Given the number of other technical shortcomings the site has had, the fact that it was put into production in spite of warnings as far back as last March that it wouldn't be ready, the revelation that it was never properly tested and the statement that there are over 500 million lines of code involved, I don't think it would be a surprise if it was found as insecure or more so than most other federal government web sites.
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16772
PUBLISHED: 2019-12-07
The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.to...
CVE-2019-9464
PUBLISHED: 2019-12-06
In various functions of RecentLocationApps.java, DevicePolicyManagerService.java, and RecognitionService.java, there is an incorrect warning indicating an app accessed the user's location. This could dissolve the trust in the platform's permission system, with no additional execution privileges need...
CVE-2019-2220
PUBLISHED: 2019-12-06
In checkOperation of AppOpsService.java, there is a possible bypass of user interaction requirements due to mishandling application suspend. This could lead to local information disclosure no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVers...
CVE-2019-2221
PUBLISHED: 2019-12-06
In hasActivityInVisibleTask of WindowProcessController.java there?s a possible bypass of user interaction requirements due to incorrect handling of top activities in INITIALIZING state. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction ...
CVE-2019-2222
PUBLISHED: 2019-12-06
n ihevcd_parse_slice_data of ihevcd_parse_slice.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android...