Looking for advice about questionable web application practice.
Our state's Governor's office recently started a health clinic for state employees. This clinic, run by a third party, set up a web site to allow users to set up appointments at the clinic and to provide private health information.
When setting myself and my family members up, I was startled to get a warning saying that the password I wanted to use was not available, and I needed to choose another one.
Understand that this wasn't because it failed to meet password criteria, but because that particular password was already in use!
In fact, I wanted to use the same password for my children's accounts, since they are under age I will be setting up their appointments anyway. I entered the same password as for my account, and received this error message "That password, XXXXXXX (the password was shown on screen!) is already in use. Please choose another"
I raised my concerns about this to the third-party provider, and was told they are requiring "unique usernames and passwords for enhanced security"
I replied that, since the web application is helpfully telling me that a password is already in use, and would also tell me that a username is already in use, I could develop a dictionary attack to build a list of known passwords and usernames, put the two together, and be able to access accounts. This would provide me with social security numbers and health-related information about other users.
I raised this issue with our state security officer, who told me they were told not to comment.
Am I out of line here? I'm a Unix server admin, not a security pro, so I am certainly not up to date on best practices for Web apps. But this "unique password" idea strikes me as a severe problem.
Jim
Jim,
It appears based on your description of the issue that you are correct to be concerned.
You can check with the state comptrollers office regarding audits that cover this territory, or file a HIPPA violation claim at http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html
This being an election year, I am sure if there is someone willful to listen to you...
I would additionally avoid performing any exploratory actions beyond your and your children's accounts.
Regards,
Gabriel Gumbs
On Oct 9, 2012, at 12:16 PM, "Burton, Jim" JBurton@mt.gov wrote:
Our state’s Governor’s office recently started a health clinic for state employees. This clinic, run by a third party, set up a web site to allow users to set up appointments at the clinic and to provide private health information.
When setting myself and my family members up, I was startled to get a warning saying that the password I wanted to use was not available, and I needed to choose another one.
Understand that this wasn’t because it failed to meet password criteria, but because that particular password was already in use!
In fact, I wanted to use the same password for my children’s accounts, since they are under age I will be setting up their appointments anyway. I entered the same password as for my account, and received this error message “That password, XXXXXXX (the password was shown on screen!) is already in use. Please choose another”
I raised my concerns about this to the third-party provider, and was told they are requiring “unique usernames and passwords for enhanced security”
I replied that, since the web application is helpfully telling me that a password is already in use, and would also tell me that a username is already in use, I could develop a dictionary attack to build a list of known passwords and usernames, put the two together, and be able to access accounts. This would provide me with social security numbers and health-related information about other users.
I raised this issue with our state security officer, who told me they were told not to comment.
Am I out of line here? I’m a Unix server admin, not a security pro, so I am certainly not up to date on best practices for Web apps. But this “unique password” idea strikes me as a severe problem.
Jim
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Hi Jim
Basic web security practice dictates that errors on incorrect credentials should not give away which field was incorrect, as this allows for enumeration of usernames and passwords – additionally, it will make automation easier.
What I assume will happen is that the lazy/non-security-conscious users will enter an password, realise it is taken and just add a number to it – password=password (taken), Ok, lets try password=password1
I would say, that this measure, by no means, increases security and achieves actually the opposite. A much better method is to introduce a password policy, must be more than x characters, must contain …
Kind Regards
From: <Burton>, Jim <JBurton@mt.govmailto:JBurton@mt.gov>
Date: Tuesday, 9 October 2012 17:16
To: "'websecurity@lists.webappsec.orgmailto:'websecurity@lists.webappsec.org'" <websecurity@lists.webappsec.orgmailto:websecurity@lists.webappsec.org>
Subject: [WEB SECURITY] Looking for advice about questionable web application practice.
Our state’s Governor’s office recently started a health clinic for state employees. This clinic, run by a third party, set up a web site to allow users to set up appointments at the clinic and to provide private health information.
When setting myself and my family members up, I was startled to get a warning saying that the password I wanted to use was not available, and I needed to choose another one.
Understand that this wasn’t because it failed to meet password criteria, but because that particular password was already in use!
In fact, I wanted to use the same password for my children’s accounts, since they are under age I will be setting up their appointments anyway. I entered the same password as for my account, and received this error message “That password, XXXXXXX (the password was shown on screen!) is already in use. Please choose another”
I raised my concerns about this to the third-party provider, and was told they are requiring “unique usernames and passwords for enhanced security”
I replied that, since the web application is helpfully telling me that a password is already in use, and would also tell me that a username is already in use, I could develop a dictionary attack to build a list of known passwords and usernames, put the two together, and be able to access accounts. This would provide me with social security numbers and health-related information about other users.
I raised this issue with our state security officer, who told me they were told not to comment.
Am I out of line here? I’m a Unix server admin, not a security pro, so I am certainly not up to date on best practices for Web apps. But this “unique password” idea strikes me as a severe problem.
Jim
I think the guys here are being too polite.
Another response would be that they are f'ing useless and you should
try to stay away from that piece of crap as we're talking about a
website holding pretty sensitive information here.
Obviously, whoever designed/built this have absolutely no idea about
security as they went out of their way to make the system more insecure
-- while thinking they were doing the exact opposite.
Don't trust 'em, don't use it.
Cheers
On 10/09/2012 07:46 PM, List wrote:
Jim,
It appears based on your description of the issue that you are correct
to be concerned.
You can check with the state comptrollers office regarding audits that
cover this territory, or file a HIPPA violation claim at
http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html
This being an election year, I am sure if there is someone willful to
listen to you...
I would additionally avoid performing any exploratory actions beyond
your and your children's accounts.
Regards,
Gabriel Gumbs
On Oct 9, 2012, at 12:16 PM, "Burton, Jim" <JBurton@mt.gov
mailto:JBurton@mt.gov> wrote:
Our state’s Governor’s office recently started a health clinic for
state employees. This clinic, run by a third party, set up a web site
to allow users to set up appointments at the clinic and to provide
private health information.
When setting myself and my family members up, I was startled to get a
warning saying that the password I wanted to use was not available,
and I needed to choose another one.
Understand that this /wasn’t/ because it failed to meet password
criteria, but because that particular password was already in use!
In fact, I wanted to use the same password for my children’s accounts,
since they are under age I will be setting up their appointments
anyway. I entered the same password as for my account, and received
this error message “That password, XXXXXXX (the password was shown on
screen!) is already in use. Please choose another”
I raised my concerns about this to the third-party provider, and was
told they are requiring “unique usernames and passwords for enhanced
security”
I replied that, since the web application is helpfully telling me that
a password is already in use, and would also tell me that a username
is already in use, I could develop a dictionary attack to build a list
of known passwords and usernames, put the two together, and be able to
access accounts. This would provide me with social security numbers
and health-related information about other users.
I raised this issue with our state security officer, who told me they
were told not to comment.
Am I out of line here? I’m a Unix server admin, not a security pro, so
I am certainly not up to date on best practices for Web apps. But this
“unique password” idea strikes me as a severe problem.
Jim
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org mailto:websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Wow! That's something. And what's with the "..told not to comment..."? That's just lame in my opinion, an example of people clearly making a conscious decision not to do the right thing. It's part ignorance as well but neglecting your attempt to highlight the risk makes it a crime.
I would take Chris's advice and raise a HIPPA violation.
Thank you,
Prasad N. Shenoy
On Oct 9, 2012, at 12:48 PM, "Ehlers, Chris" chehlers@akamai.com wrote:
Hi Jim
Basic web security practice dictates that errors on incorrect credentials should not give away which field was incorrect, as this allows for enumeration of usernames and passwords – additionally, it will make automation easier.
What I assume will happen is that the lazy/non-security-conscious users will enter an password, realise it is taken and just add a number to it – password=password (taken), Ok, lets try password=password1
I would say, that this measure, by no means, increases security and achieves actually the opposite. A much better method is to introduce a password policy, must be more than x characters, must contain …
Kind Regards
From: <Burton>, Jim JBurton@mt.gov
Date: Tuesday, 9 October 2012 17:16
To: "'websecurity@lists.webappsec.org'" websecurity@lists.webappsec.org
Subject: [WEB SECURITY] Looking for advice about questionable web application practice.
Our state’s Governor’s office recently started a health clinic for state employees. This clinic, run by a third party, set up a web site to allow users to set up appointments at the clinic and to provide private health information.
When setting myself and my family members up, I was startled to get a warning saying that the password I wanted to use was not available, and I needed to choose another one.
Understand that this wasn’t because it failed to meet password criteria, but because that particular password was already in use!
In fact, I wanted to use the same password for my children’s accounts, since they are under age I will be setting up their appointments anyway. I entered the same password as for my account, and received this error message “That password, XXXXXXX (the password was shown on screen!) is already in use. Please choose another”
I raised my concerns about this to the third-party provider, and was told they are requiring “unique usernames and passwords for enhanced security”
I replied that, since the web application is helpfully telling me that a password is already in use, and would also tell me that a username is already in use, I could develop a dictionary attack to build a list of known passwords and usernames, put the two together, and be able to access accounts. This would provide me with social security numbers and health-related information about other users.
I raised this issue with our state security officer, who told me they were told not to comment.
Am I out of line here? I’m a Unix server admin, not a security pro, so I am certainly not up to date on best practices for Web apps. But this “unique password” idea strikes me as a severe problem.
Jim
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org