This is not a Facebook scare or urban legend. If you are considering using healthcare.gov, it’s important you realize the security implications of the following.
Many of you have probably used a web site and reset or changed your information. Most sites will email you confirmation of the change, to ensure that you approved of the change. So if someone logs on to Amazon.com and changes dtienes@gmail.com to hacker@gmail.com, dtienes@gmail.com gets notified. And can do something about it, if he or she did not authorize the change.
Twitter user @QualityFrog posted the followg last night:
What this means is if someone is able to hack your account, they can update your email address and you will never know about it. In the example above, the email informing me my email address was changed goes to hacker@gmail.com…and I have no idea what’s happened.
Granted, the bad guys still need to hack your account to do this, but it is nevertheless a major programming error. In my opinion, the responsible thing to do is shut the site down until this is fixed. That’s what I would do.
I urge you to follow @QualityFrog, and check out his earlier Tweets. He’s a professional software tester…and yes, there is such a thing. He’s doing the job Health and Human Services should have done by going step-by-step through the site. He’s found a lot of ugly, but nothing as ugly as this.
@dtienes
Potential (Big) healthcare.gov Security Flaw (No Fooling)
No comments:
Post a Comment