Exclusive: Password-Reset Security Glitch Fixed on HealthCare.gov

  • Share
  • Read Later
Charles Dharapak / AP

President Barack Obama, standing with supporters of his health care law, speaks in the Rose Garden of the White House in Washington on Oct. 21, 2013

A security flaw in the original design of HealthCare.gov that could have disclosed e-mail and other account information to hackers was eliminated Monday during an overnight fix, a Center for Medicare and Medicaid Services spokesman has told TIME.

“We are eliminating this theoretical vulnerability by preventing users from seeing the specific reset functionality when trying to reset their password,” said Brian Cook, who works for the agency that oversees the troubled website portal for federal health-insurance exchanges. There is no public evidence that these design flaws were ever exploited to compromise user accounts.

The flaw occurred in the password-reset function of the website. As it was originally designed, the function would return a “reset code” when someone typed in an active username. The code, which was only visible through a browser’s developer tools, could then be used to gain access to the e-mail associated with the account, as well as the security questions that the user had answered upon signing up. Both features are considered violations of industry best practices because they increase the odds of an outside attacker being able to infiltrate the account, either by correctly guessing the questions’ answers by mining social-media information or tricking a user into disclosing a password over e-mail.

(MORE: Traffic Didn’t Crash the Obamacare Site Alone. Bad Coding Did Too)

The flaw was uncovered on Thursday by Ben Simo, a former president of the Association for Software Testing, and TIME first asked the White House and the Department of Health and Human Services about the flaw on Friday. “We have taken great care to ensure that people’s usernames and information are kept secure,” Cook said Monday, upon disclosing that the problem would be resolved.

The unnecessary disclosure of information during password resets has long been a tool hackers have used to gain access to confidential information. A famous 2009 hack of several private Twitter corporate accounts began when an attacker exploited the password-reset function of a Gmail account to uncover a backup e-mail address. “It’s a serious problem,” explains Jeremiah Grossman, the founder of WhiteHat Security, a firm that protects websites from malicious hackers. “It’s also a common problem.”

Simo discovered the problem with a user account he created on HealthCare.gov for a family member. “I am glad they fixed it and seemed to respond right away,” he says, before noting that he has found other concerns, including the transmission of account information without encryption. “I hope this means they are dealing with security across the board.”

MORE: HealthCare.gov Contractors Face Bipartisan Wrath on Capitol Hill