[ISN] So You Found An Obamacare Website Is Hackable. Now What?

http://www.forbes.com/sites/kashmirhill/2014/01/15/so-you-found-an-obamacare-website-is-hackable-now-what/ By Kashmir Hill Forbes Staff 1/15/2014 Two months ago, L.A.-based security researcher Kristian Erik Hermansen was signing up for Obamacare via the Covered California site. Given his background in finding vulnerabilities in software and websites, spotting security flaws is second nature to him so he couldn’t help but notice problems with the California site, which has seen the most registrations for healthcare in the country. The technical problems with the website set up for the Affordable Care Act have been well-documented and security flaws have been discovered. When critics started calling the main federal Obamacare site a “hacker’s dream” though, people rightly pointed out that the more sensitive information — social security numbers, incomes, and birthdates — is instead in the hands of the state-level portals. That of course is exactly what the Covered California site is. Hermansen discovered a vulnerability that would allow someone to take over another person’s account on the California site, and review or change the information entered there. He tried contacting Covered California “at least 15 times” by email, phone or chat about the problem, but got no response for over a month. “They must have been overwhelmed by people seeking help with the site,” he says. On December 24, he finally got through by phone to a Covered California representative and he explained the issues he’d found, but they remained unfixed and he didn’t hear back from them. Given that it was Christmas, that’s not terribly surprising. But Hermansen, frustrated that the flaw had been out there for over a month already, decided two days later to release a video of the exploit to YouTube and posted it to a security sub-Reddit. That got the attention of a Covered California lawyer who contacted him to take the video down, and also flagged it with YouTube; it was soon removed. The lawyer’s tone was contrite in the email. “I am sorry no one responded to you earlier,” he wrote. “We will have to figure out where or how your prior message to us got lost.” Hermansen then spoke by phone to the lawyer and a chief security person. “They were not interested in talking about the security issues but about getting the video or any other online mention of the flaw taken down,” he says. […]