The Blog

Security Expert: Attacker Can Host Any Content Under Healthcare.gov Umbrella

8:11 AM, Jan 24, 2014 • By JERYL BIER
Widget tooltip
Single Page Print Larger Text Smaller Text Alerts

A security expert who has testified before Congress and spoken to the media about vulnerabilities of the Healthcare.gov website has weighed in on the website's latest security issue, which was first reported Thursday by THE WEEKLY STANDARD. David Kennedy, the CEO of TrustedSec, an information security firm, said that the unintended opening at Healthcare.gov detailed in the story would allow malicious scammers to fool users with a "website that’s legitimate to make them believe its something else." He said the existence of this potential pitfall on the site is "absolutely amazing," and added that "an attacker can basically create a functioning website and host any content they want there and under the umbrella of healthcare.gov."

At issue is the profile feature of the data.healthcare.gov section of the website that allows anyone to set up a custom made page intended to host "data-sets" based on the insurance plan information database on the website.  Users can sort, group, and otherwise manipulate the data to create unique presentations based on various criteria. However, the lack of disclaimers and other safeguards allow marketers, or worse, scammers and identity thieves, to establish what would appear to be legitimate Healthcare.gov webpages which can be used to redirect users to other sites.

A fuller explanation of the problem, complete with examples of offending profiles, can be found in Thursday's story, but an example of how the profile feature can be misused was set up for this story and can be seen here:

The feature even made it possible to upload a clipping of an actual Healthcare.gov graphic to give the page an even more genuine look.  Experienced users of the data-set feature would not be fooled, but unsuspecting users directed to the page by a link beginning with "https://data.healthcare.gov" contained in an email or another website could easily be duped into believing they had accessed a government sanctioned webpage.  Links contained in the profiles contain no disclaimers or warnings and could be used to redirect users to sites where personal and financial information could be harvested.

TrustedSec's Kennedy noted that by Friday morning, the ability to create a data-set profile via the Healthcare.gov website had been removed since the original story ran on Thursday. However, he pointed out that this may not solve the problem.  Profiles can still be set up at opendata.socrata.com, the website that facilitates the data-set function for Healthcare.gov.  It is not clear at this time, however, if those new profiles can be accessed publicly with a data.healthcare.gov address. Accounts set up before Friday are still accessible at Healthcare.gov.

Recent Blog Posts