Oct 07, 2013 (07:10 AM EDT)
5 Obamacare Health Site Security Warnings

Read the Original Article at InformationWeek

1   2  
9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
Are the health insurance exchanges -- aka "Obamacare" -- websites mandated by the Affordable Care Act safe against online attackers?

After the exchanges, also known as health insurance marketplaces, debuted Tuesday, users reported difficulty using them, to either price or sign up for insurance. At the federal level, White House officials blamed the glitches -- which persisted throughout last week -- on the large number of visitors to healthcare.gov, which saw 4.7 million unique visitors in its first 24 hours, and 9 million in total by Friday.

Sunday, however, federal officials admitted that healthcare.gov would require both code-level improvements as well as increased server capacity. "We can do better and we are working around the clock to do so," Department of Health and Human Services spokeswoman Joanne Peters told The Wall Street Journal. Forthcoming improvements will reportedly include both software and hardware changes.

[ Find out how Obamacare could change how companies offer health insurance to employees. Read Obamacare: The Rise Of Private Health Insurance Exchanges. ]

To that list of fixes, however, the federal government -- which through healthcare.gov is currently supporting or running health insurance exchanges for 36 states -- and 14 states that are running their own exchanges might want to add a handful of information security improvements.

Here are five top concerns:

1. All-Access Request For Other Sites

According to Nidhi Shah, who works on research and development for HP's Web Security Research Group, healthcare.gov uses an HTML5 header that allows any site to make an AJAX request to healthcare.gov, then see a response. "We could not access [the] authenticated area of healthcare.gov -- the site was overloaded -- but if this is the policy applied to any authenticated page of the site, it could expose the site to serious threats like cross-site request forgery (CSRF)," Shah said in a blog post. CSRF attacks, which have a place on the SANS list of the 25 most dangerous software errors (at #12), refer to tricking a targeted website into disclosing sensitive information.

2. Clickjacking Threat

The second major healthcare.gov security concern is the site's lack of clickjacking defenses. Using clickjacking, an attacker could overlay invisible elements on the legitimate website, so that, for example, if a user clicked what appeared to be a real link, it might run a malicious script instead. "To our surprise, healthcare.gov does not deploy any defense and the site can be easily framed inside an HTML iFrame tag," Shah said. In the past, many websites have used JavaScript "framekillers" to mitigate this type of vulnerability. "However, the introduction of the iFrame Sandbox attribute in the HTML5 specification has rendered that approach useless," she said.

3. Cookie Theft

According to Shah, healthcare.gov fails to employ HttpOnly, which restricts access to cookies stored on a PC, in particular defending them against malicious scripts. The site also fails to employ secure flags for cookies, which prevents cookies from being transmitted in plaintext -- which makes them vulnerable to eavesdropping -- by only transmitting cookies after an HTTPS session has first been established.

"Healthcare.gov uses cookies to maintain user history on the site and [for] user identification," said Shah. Although she doesn't know if the cookies will also save a user's credentials, an attacker could at least retrieve "sensitive information such as ... possible health issues, income level, and marital status," she said, that most people would rather remain private.