recommended reading

Researchers Find a Way to Hack Spanish Language

Until fixed on Wednesday afternoon, a security flaw in -- the Spanish language version of -- could have allowed hackers to steal personal information from enrollees as they typed, according to three independent software developers. The Health and Human Services Department repaired the software error after Nextgov inquired about the defect early Wednesday.

HHS remedied a similar bug on the English-speaking site at some point between Oct. 4 and Oct. 10.

While citizens bemoan the online healthcare shop’s inelegant functionality, some programmers say the same clumsiness is creating vulnerabilities that criminals could exploit, especially as the site becomes more reliable and attracts more users.

The Spanish version remained faulty likely because the estimated 500 million lines of code running the marketplace are managed by multiple system administrators and reside on separate servers, said Gabriel Harrop, who examined public code through his browser’s developer tools.

HHS spokeswoman Joanne Peters said on Wednesday that personnel are mending the weakness and adding extra protections.

"We have taken great care to ensure that people's usernames and information are kept secure,” she said in an email. “We are eliminating this theoretical vulnerability by preventing users from seeing the specific reset functionality when trying to reset their password."

Personnel are correcting this specific issue by preventing the server from sending, in plain view, a unique Web session identifier to browsers, HHS officials said. The ID had been sent and stored in every user’s browser, according to outside programmers.

The core of’s technical troubles is its ad-hoc construction, they added.

The problem with making last-minute changes and adding software packages is that “if a vulnerability comes up in the future, with their code or one of the packages that they have included, they are most likely not going to be able to push an update" or devise a workaround quickly” Harrop said Tuesday afternoon, before the fix. “So just the fact that they haven’t fixed these fairly small trivial issues is not a very good sign."

He discovered the glitch within two hours Tuesday morning, after he started poking around for holes.

The so-called invisible frame injection identified could let hackers capture Social Security numbers and other confidential information that healthcare applicants enter while enrolling. Invisible frames are strings of code often used to embed clickable ad boxes on webpages. The IFrame error on allowed unauthorized users to insert a credential-stealing file that, for example, could be set to activate when a user clicked on the "Solicitar Ahora" (Apply now) box on the homepage.

Identity theft is one potential consequence of this sort of flaw, other researchers said.

Easily finding one vulnerability in less than two hours indicates there will be ongoing security problems on as long as a patchwork system of coding and software packages remains, said the researchers, who requested anonymity because they do separate business with the government. comprises about 10 times more lines of code than Windows XP. “There’s no way that, given their timeframe and constraints and requirements, that was all either quality or original code, so you can assume that they’ve been doing a lot of copying and pasting and just kind of rampant inclusion of any code they thought would be useful,” Harrop said.

A separate flaw in that could have exposed email and other account information was eliminated on Monday, after a private citizen informed HHS officials of the problem, Time reported.

The enormous size of the site affects “performance, which is the biggest topic on everyone’s minds right now, but it’s also a security issue because the more [upgrades] and code that you bring in, the more potential security vulnerabilities you have,” Harrop said.

Responding to such concerns, HHS officials said consumers who fill out online forms can trust that the information entered is protected by stringent standards and that the technology underlying the application process is secure.

Apparently the department was aware of security hazards ahead of the site’s debut. CNN on Wednesday obtained an internal memo from the agency responsible for, the Centers for Medicare and Medicaid Services, which was written just days before opened and warned of a "high" security risk because of limited testing.

"Due to system readiness issues, the (security control assessment) was only partly completed," the CMS memo stated. "This constitutes a risk that must be accepted and mitigated to support the Marketplace Day 1 operations."

Federal officials had announced that CMS, on Sept. 6, self-certified the hub as safe to launch after reviewing contractor assessments to ensure all potential compromises had been addressed, as is practice under federal rules. 

The evaluations were not vetted by internal auditors. The HHS inspector general chose not to review the draft and final security plans before kickoff, due to limited time and resources, an IG official told Nextgov in September.

One of the independent researchers on Tuesday night left a message for HHS Secretary Kathleen Sebelius’ chief of staff about the risk of compromising personal information and provided a name and number for immediate contact.

Late Wednesday afternoon, the researcher received a call from a department employee indicating an operations person would be in touch to learn more about the issues detected, the researcher said.

The various programmers said, by that point, they felt HHS personnel had pinpointed and fixed the most severe mistakes.

Threatwatch Alert

Stolen credentials

14M University Email Accounts for Sale on Dark Web

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.


When you download a report, your information may be shared with the underwriters of that document.