recommended reading

Researchers Find a Way to Hack Spanish Language

Until fixed on Wednesday afternoon, a security flaw in -- the Spanish language version of -- could have allowed hackers to steal personal information from enrollees as they typed, according to three independent software developers. The Health and Human Services Department repaired the software error after Nextgov inquired about the defect early Wednesday.

HHS remedied a similar bug on the English-speaking site at some point between Oct. 4 and Oct. 10.

While citizens bemoan the online healthcare shop’s inelegant functionality, some programmers say the same clumsiness is creating vulnerabilities that criminals could exploit, especially as the site becomes more reliable and attracts more users.

The Spanish version remained faulty likely because the estimated 500 million lines of code running the marketplace are managed by multiple system administrators and reside on separate servers, said Gabriel Harrop, who examined public code through his browser’s developer tools.

HHS spokeswoman Joanne Peters said on Wednesday that personnel are mending the weakness and adding extra protections.

"We have taken great care to ensure that people's usernames and information are kept secure,” she said in an email. “We are eliminating this theoretical vulnerability by preventing users from seeing the specific reset functionality when trying to reset their password."

Personnel are correcting this specific issue by preventing the server from sending, in plain view, a unique Web session identifier to browsers, HHS officials said. The ID had been sent and stored in every user’s browser, according to outside programmers.

The core of’s technical troubles is its ad-hoc construction, they added.

The problem with making last-minute changes and adding software packages is that “if a vulnerability comes up in the future, with their code or one of the packages that they have included, they are most likely not going to be able to push an update" or devise a workaround quickly” Harrop said Tuesday afternoon, before the fix. “So just the fact that they haven’t fixed these fairly small trivial issues is not a very good sign."

He discovered the glitch within two hours Tuesday morning, after he started poking around for holes.

The so-called invisible frame injection identified could let hackers capture Social Security numbers and other confidential information that healthcare applicants enter while enrolling. Invisible frames are strings of code often used to embed clickable ad boxes on webpages. The IFrame error on allowed unauthorized users to insert a credential-stealing file that, for example, could be set to activate when a user clicked on the "Solicitar Ahora" (Apply now) box on the homepage.

Identity theft is one potential consequence of this sort of flaw, other researchers said.

Easily finding one vulnerability in less than two hours indicates there will be ongoing security problems on as long as a patchwork system of coding and software packages remains, said the researchers, who requested anonymity because they do separate business with the government. comprises about 10 times more lines of code than Windows XP. “There’s no way that, given their timeframe and constraints and requirements, that was all either quality or original code, so you can assume that they’ve been doing a lot of copying and pasting and just kind of rampant inclusion of any code they thought would be useful,” Harrop said.

A separate flaw in that could have exposed email and other account information was eliminated on Monday, after a private citizen informed HHS officials of the problem, Time reported.

The enormous size of the site affects “performance, which is the biggest topic on everyone’s minds right now, but it’s also a security issue because the more [upgrades] and code that you bring in, the more potential security vulnerabilities you have,” Harrop said.

Responding to such concerns, HHS officials said consumers who fill out online forms can trust that the information entered is protected by stringent standards and that the technology underlying the application process is secure.

Apparently the department was aware of security hazards ahead of the site’s debut. CNN on Wednesday obtained an internal memo from the agency responsible for, the Centers for Medicare and Medicaid Services, which was written just days before opened and warned of a "high" security risk because of limited testing.

"Due to system readiness issues, the (security control assessment) was only partly completed," the CMS memo stated. "This constitutes a risk that must be accepted and mitigated to support the Marketplace Day 1 operations."

Federal officials had announced that CMS, on Sept. 6, self-certified the hub as safe to launch after reviewing contractor assessments to ensure all potential compromises had been addressed, as is practice under federal rules. 

The evaluations were not vetted by internal auditors. The HHS inspector general chose not to review the draft and final security plans before kickoff, due to limited time and resources, an IG official told Nextgov in September.

One of the independent researchers on Tuesday night left a message for HHS Secretary Kathleen Sebelius’ chief of staff about the risk of compromising personal information and provided a name and number for immediate contact.

Late Wednesday afternoon, the researcher received a call from a department employee indicating an operations person would be in touch to learn more about the issues detected, the researcher said.

The various programmers said, by that point, they felt HHS personnel had pinpointed and fixed the most severe mistakes.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.