ObamaCare California Website Flaws (500K users’ information at risk to hijacking)

ObamaCare is again on the spot. California’s site has +500K users, and, as the video shows, they’re at risk of hijacking attack.
Site’s admin has been warned, but so far, this hasn’t been fixed.

Vulnerability found by Kristian Hermansen

The vulnerability is horizontal privilege escalation. The PIN reset function – while updating the PIN for the current user – also attaches all the personal data in the POST request. This allows the attacker to tamper with the request, exchanging his username with the victim’s username and setting a new PIN for the victim.

http://www.youtube.com/watch?v=adwNpYJ_Ksk&feature=youtu.be

EDIT: video was removed from youtube.

The PoC is on the video above. For the moment, it’s not known if this affects any other ObamaCare site’s than California’s.

Leave a Reply

Your email address will not be published. Required fields are marked *


6 × = eighteen

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>