The Obamacare website has more than annoying bugs. A cybersecurity expert found a way to hack into users’ accounts.
Until the Department of Health fixed the security hole last week, anyone could easily reset your Healthcare.gov password without your knowledge and potentially hijack your account.
The glitch was discovered last week by Ben Simo, a software tester in Arizona. Simo found that gaining access to people’s accounts was frighteningly simple. You could have:
guessed an existing user name, and the website would have confirmed it exists.
claimed you forgot your password, and the site would have reset it.
viewed the site’s unencrypted source code in any browser to find the password reset code.
plugged in the user name and reset code, and the website would have displayed a person’s three security questions (your oldest niece’s first name, name of favorite pet, date of wedding anniversary, etc.).
answered the security questions wrong, and the website would have spit out the account owner’s email address — again, unencrypted.
Just one of many reasons to avoid Healthcare.gov.