Healthcare.gov Security Hiccups

Take two aspirin and call me in the morning

Gunter Ollmann, CTO, Security, Microsoft Cloud and AI Division

November 20, 2013

3 Min Read
Dark Reading logo in a gray background | Dark Reading

Senior penetration testers used to say that if you wanted to practice on a live Internet website and not get into any trouble, then pick a porn site. Even if you were caught by the site owners, they'd never prosecute and, if they did, the court of public opinion would be on your side.

Today it looks like there's a new candidate for honing your hacking skills: the website of President Obama's flagship Affordable Care Act.

Healthcare.gov has been subject to a barrage of attacks, both online and in the media, ever since appeared online. This week, the site has a portion of the media hot under the collar due to a few client-side flaws and an expectation that recorded attack attempts should have been scrubbed from some prefill search results.

For the public reading these stories, many are bound to think that someone's limb had been torn away by a pack of rapid wolves, and surgeons were desperately trying to sew the victim back together. In reality, it's more like dealing with a hangover from the night before, where the cure is a good old aspirin.

Essentially, two vulnerabilities are being talked about this week. The most visible is merely a reflection of how people have been trying to hack the website, and how the contextual prefill of the search box lists the most common attack strings folks have been throwing at it. It's amusing, really.

The site developers appear to have done a good job sanitizing the input (i.e., replacing potentially malicious characters with their safe HTML counterparts), but they could have probably saved themselves the present grief had they simply dropped certain strings from making it to the prefill candidate list. They appear to have applied some prefill filtering in the past to prevent common swear words from appearing, and have now (since this media frenzy started) added many of the strings more commonly associated with SQL injection since the issue was pointed out. For example, the following no longer appear if you type a semi-colon:

The second vulnerability has to do with the way the client-side script components of the website handle HTML characters as they're typed into the search box (and, no doubt, other areas of the site if you were to go hunting for them). In essence, the client-side scripts get a little confused. While potentially annoying for people having a poke at the website in their bug-hunting quest, it's nothing to be concerned about by those actually intent on using the site for what it's supposed to do.

I've heard a few people point out that the combination of these two bugs could potentiallybe exploited in a cross-site scripting attack, but you have better odds of being hit by a meteorite.

For all of the faults in the site that have been pointed out in the past month, this latest batch only merits a one-shoulder shrug.

-- Gunter Ollmann, CTO IOActive Inc.

 

About the Author

Gunter Ollmann

CTO, Security, Microsoft Cloud and AI Division

Gunter Ollmann serves as CTO for security and helps drive the cross-pillar strategy for the cloud and AI security groups at Microsoft. He has over three decades of information security experience in an array of cyber security consulting and research roles. Before to joining Microsoft, Gunter served as chief security officer at Vectra AI, driving new research and innovation into machine learning and AI-based threat detection of insider threats. Prior to Vectra AI, he served as CTO of domain services at NCC Group, where he drove the company's generic Top Level Domain (gTLD) program. He was also CTO at security consulting firm IOActive, CTO and vice president of research at Damballa, chief security strategist at IBM, and built and led well-known and respected security research groups around the world, such as X-Force. Gunter is a widely respected authority on security issues and technologies and has researched, written and published hundreds of technical papers and bylined articles.

Originally, Gunter had wanted to be an architect but he lost interest after designing retaining walls during a three-month internship. After that, he qualified as a meteorologist, but was lured to the dark side of forecasting Internet threats and cyberattacks. His ability to see dead people stoked an interest in history and first-millennium archaeology.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights