Security through WTFery
-
So our company uses a third party for some aspects of our medical coverage, and this third party has an online access portal for viewing useful medical coverage information. I imagine most people would consider this information sensitive and private.
So I go to the page to set up my access for the first time, and I'm greeted with a pretty standard login form.
Then I see this block of text to the side. Not in an off-channel email, not something given to me by my company, but right there on the freaking login page:
--------------------------
Members:
Your initial username is your social security number with dashes. (123-45-6789)Your initial password is Welcome123.
We strongly recommend you change both your username and password upon your first log in.
--------------------------My coworkers and I entertained ourselves for a few minutes thinking of all the security problems with this scheme. So far, we've come up with:
- The obvious: write a script to try every SSN until you get into the account of someone that hasn't logged in yet (which is quite a few people even in our own company because while we all get one of these accounts, most people don't really need it, at least right away, and some people don't even know about the online access).
- If you try an SSN that doesn't exist, it actually tells you that's not a valid username. Granted, people can change the username once they're in, but still.
- If you do get in (even legitimately), since I would assume usernames must be unique, you could just try changing your username to various SSNs to get a list of which ones are still valid usernames.
- If you do get in by wardialing SSNs, it displays the employee's name once you're in. So now you know the name and medical information about the SSN you just broke in with.
- The obvious: write a script to try every SSN until you get into the account of someone that hasn't logged in yet (which is quite a few people even in our own company because while we all get one of these accounts, most people don't really need it, at least right away, and some people don't even know about the online access).
-
In the EU, the employer and likely the provider of the application would get sued all the way to hell and back. I'd have thought / hoped that the repercussions in the U.S. would be similar?
-
Without knowing what data is on the site, it's hard to be sure if this is a WTF or not. If it's just showing you what options you have, then it's no biggie. If it actually has statements for recent insurance events, then it's a huge-ass HIPAA violation.
The vagueness of "useful medical coverage information" in the OP could cover either case.
-
@blakeyrat said:
Without knowing what data is on the site, it's hard to be sure if this is a WTF or not. If it's just showing you what options you have, then it's no biggie. If it actually has statements for recent insurance events, then it's a huge-ass HIPAA violation.
The vagueness of "useful medical coverage information" in the OP could cover either case.
Here's the one (GIYF):
https://hrbenefitsdirect.com/Basic/signIn.aspx?ReturnUrl=/BASIC/home.aspx
-
Doesn't look like a new or temporary situation either.
Either someone made a website in this day and age that uses tables for layout, or it's been this way for what... 10+ years?
edit: actually screw the tables... how about that shadow on the login box?
And so on for each pixel row of the shadow.
edit 2: I guess we don't do pre here...
-
@skotl said:
In the EU, the employer and likely the provider of the application would get sued all the way to hell and back. I'd have thought / hoped that the repercussions in the U.S. would be similar?
If they're in the U.S., then they are likely violating HIPAA, as blakey said, but they may also be violating state laws regarding the sollicitation, disclosure, or transmission of Social Security Numbers; it'd depend on what state they are in. (See [URL=https://www.fas.org/sgp/crs/misc/RL30318.pdf]this document from 2008[/URL] for some interesting info about laws regarding SSN use)
-
@Evo said:
Here's the one (GIYF):
https://hrbenefitsdirect.com/Basic/signIn.aspx?ReturnUrl=/BASIC/home.aspxWell I'm not going to hack into the site, so I still don't know if this WTF is actually against the law or just a WTF.
