Switch to Desktop Site
 
 

Obamacare website security called 'outrageous': How safe is it? (+video)

Next Previous

Page 2 of 3

About these ads

For example, the site is supposed to adhere to cybersecurity standards for the federal government set by the National Institute of Standards and Technologies.

But just because all the standards are met does not mean all the holes are plugged. Some cybersecurity experts have echoed Mr. McAfee's comments. Here are some of the red flags they raise.

Request forgery. One potential flaw with the Obamacare website would grant automated “all-Access Request For Other Sites” – which basically allows another site to make a certain kinds of request to healthcare.gov that could lead to “cross-site request forgery” and potentially fooling the government site into releasing restricted information, writes Nidhi Shah, who works on research and development for HP's Web Security Research Group, on a company blog. That red flag appeared on some of the site's pages, but she admits it could not be confirmed at the time on the site’s most secure areas because of high traffic volume.

'Clickjacking.' The government site lacks defenses to prevent an attacker from putting an invisible layer over the legitimate website, Ms. Shah added. As a result, a user clicking on a link or button might end up at a renegade site that looked just the same – and end up divulging personal information to that site.

'Cookie theft.' The site appears not to use a feature that prevents access to cookies that are stored on a user’s personal computer. "Healthcare.gov uses cookies to maintain user history on the site and [for] user identification," Shah writes. At the very least, an attacker could grab "sensitive information such as ... possible health issues, income level, and marital status.”

Next Previous

Page:   1   |   2   |   3


Follow Stories Like This
Get the Monitor stories you care about delivered to your inbox.

Share

Loading...