I have discovered a number of issues with Healthcare.gov. I have blogged details on some of these on my other blog, Is There A Problem Here?
2) The site requires users create an account and verify identity and submit an application to get information about plan options. This creates a bottleneck that could have been avoided with different design.
4) The site processed an application I did not submit — and that I explicitly told it to not process.
5) There are so many obvious security flaws that I doubt they took security seriously. This gives me reason to be concerned about security of parts I can’t see. Some of the security issues I’ve seen are:
- Personal data sent unsecured over HTTP
- Error messages that reveal the existence of usernames and email addresses in the system
- Stack traces returned to the browser that reveal information about the internal system components
- Usernames and password reset codes and questionnauire (not the application) answers sent to 3rd party analytics companies
- Password reset codes returned to the browser
- Email addresses associated with an account returned to the browser without authentication
- An email validation system that returns the info to needed validate an email address to the browser — enabling people to create accounts using others’ email addresses
If you want to see details, please visit my other blog at http://blog.isthereaproblemhere.com/search/label/Healthcare.gov