I have discovered a number of issues with Healthcare.gov.  I have blogged details on some of these on my other blog, Is There A Problem Here?

These issues include, but are not limited to:
1) The site creates more cookie data than it will accept. It returns HTTP 400 errors (displaying blank screens to the user) when the cookie data it generates gets larger than parts of the site are configured to accept.

2) The site requires users create an account and verify identity and submit an application to get information about plan options. This creates a bottleneck that could have been avoided with different design.

3) The client-side Javascript code I’ve reviewed contains some errors and is overly complex — complex in a way that adds overhead and risk that makes current understanding and future maintenance of the code unnecessarily difficult.

4) The site processed an application I did not submit — and that I explicitly told it to not process.

5) There are so many obvious security flaws that I doubt they took security seriously. This gives me reason to be concerned about security of parts I can’t see. Some of the security issues I’ve seen are:

  • Personal data sent unsecured over HTTP
  • Error messages that reveal the existence of usernames and email addresses in the system
  • Stack traces returned to the browser that reveal information about the internal system components
  • Usernames and password reset codes and questionnauire (not the application) answers sent to 3rd party analytics companies
  • Password reset codes returned to the browser
  • Email addresses associated with an account returned to the browser without authentication
  • An email validation system that returns the info to needed validate an email address to the browser — enabling people to create accounts using others’ email addresses

If you want to see details, please visit my other blog at http://blog.isthereaproblemhere.com/search/label/Healthcare.gov

Ben Simo