The Blog

Security Expert: Attacker Can Host Any Content Under Umbrella

8:11 AM, Jan 24, 2014 • By JERYL BIER
Widget tooltip
Single Page Print Larger Text Smaller Text Alerts

A security expert who has testified before Congress and spoken to the media about vulnerabilities of the website has weighed in on the website's latest security issue, which was first reported Thursday by THE WEEKLY STANDARD. David Kennedy, the CEO of TrustedSec, an information security firm, said that the unintended opening at detailed in the story would allow malicious scammers to fool users with a "website that’s legitimate to make them believe its something else." He said the existence of this potential pitfall on the site is "absolutely amazing," and added that "an attacker can basically create a functioning website and host any content they want there and under the umbrella of"

At issue is the profile feature of the section of the website that allows anyone to set up a custom made page intended to host "data-sets" based on the insurance plan information database on the website.  Users can sort, group, and otherwise manipulate the data to create unique presentations based on various criteria. However, the lack of disclaimers and other safeguards allow marketers, or worse, scammers and identity thieves, to establish what would appear to be legitimate webpages which can be used to redirect users to other sites.

A fuller explanation of the problem, complete with examples of offending profiles, can be found in Thursday's story, but an example of how the profile feature can be misused was set up for this story and can be seen here:

The feature even made it possible to upload a clipping of an actual graphic to give the page an even more genuine look.  Experienced users of the data-set feature would not be fooled, but unsuspecting users directed to the page by a link beginning with "" contained in an email or another website could easily be duped into believing they had accessed a government sanctioned webpage.  Links contained in the profiles contain no disclaimers or warnings and could be used to redirect users to sites where personal and financial information could be harvested.

TrustedSec's Kennedy noted that by Friday morning, the ability to create a data-set profile via the website had been removed since the original story ran on Thursday. However, he pointed out that this may not solve the problem.  Profiles can still be set up at, the website that facilitates the data-set function for  It is not clear at this time, however, if those new profiles can be accessed publicly with a address. Accounts set up before Friday are still accessible at

Recent Blog Posts

The Weekly Standard Archives

Browse 20 Years of the Weekly Standard

Old covers