Healthcare.gov is undoubtedly the most important site of the week. The site handles the sensitive information of millions of Americans: health history, identity, tax records and more. A project this important, naturally, is attractive to both security researchers and malicious attackers looking to identify security issues. The only difference is that security researchers stick to passive analysis and malicious attackers look for ways to exploit what they find. In this post, we will outline three quick observations that would encourage a malicious attacker to try to exploit the site. While these observations don’t indicate that the site already has any major vulnerability, they are red flags and, given the potential benefit, an attacker has plenty of motivation to explore further. A site this public and this important should follow security best practices from line one of code and configuration.
- Access-Control-Allow-Origin: * This header is a part of an HTML5 Cross-Origin Resource Shring (CORS) feature, enabling sites to do cross-domain communication. The header is used to restrict the domains that can make an AJAX request to healthcare.gov and access the content of the response. A value of “*” for this header indicates that any site can initiate a request to healthcare.gov and receive the response. We could not access authenticated area of healthcare.gov (the site was overloaded) but if this is the policy applied to any authenticated page of the site, it could expose the site to serious threats like Cross-Site Request Forgery (CSRF). Failing to restrict cross-domain communication can allow a malicious site to send requests, including POST requests, to healthcare.gov on victim’s behalf and gain access to his health records, and possibly enough information to steal his identity. Healthcare.gov should reconsider enablement of CORS feature on this site. Any required cross-domain functionality should be moved to web services. If that is not possible, they should restrict the value of this header to specific domains and specific functionality.
This is a very important site for a lot of people and, no matter how challenging it is to keep up with demand, security should never be put on the back burner. A site built upon the principals of security is naturally more reliable.