Recent searches
Search options
1/13 So, this week I discovered my first #serious #security #vulnerability in a public system.
In the past I've found #problems in #software, problems with #websites, with bureaucratic processes, some of which were significant, but they all pale in comparison to this one.
It starts with a #chain of #pharmacies.
3/13 I have reported the issue to the company; I have asked them to acknowledge and take short-term steps to close the hole. I reported it after hours, so I have not yet received a response, although maybe they should be monitoring this address out of office hours due to the nature of the system.
I will not identify the company in the meantime, providing they address this in a #reasonable amount of time.
4/13 I have long used their automated phone system to #refill #prescriptions, but to date, I had resisted signing up for any #online #services with the pharmacy I deal with, because I lacked confidence in their ability to build and operate such services in a #secure fashion.
Boy, did I turn out to be right.
I decided to sign up for their website services this week because I had some things I wanted to check, and didn't want to take too much of their time on the phone.
5/13 So I went to the site, clicked to #register, and the process went like this.
1. Choose the location I deal with.
2. Enter my first and last name.
3. From 4 options, select the home address associated with my account.
4. From 4 options, select the phone number associated with my account.
And then I was in.
6/13 #Security folks are either slapping their foreheads right now, or sitting there with their jaw hanging open.
All of this #information is #publicly available. For some people, it might be a little more difficult, but in my case, you can #guess which location I deal with based on proximity to my residence. You might have to try 2 times, but that's about it - most people will use one close to their #home, or perhaps office.
7/13 If you want to #attack me, you probably know my name.
My home address and my phone number are both listed beside my name in the "phone book" (kids, ask your parents about this). They're also available #online, from the phone book company or various others.
So all of that is extremely problematic.
But it gets worse.
8/13 They don't even take the basic step of ensuring that I actually have access to that phone number. They could place an automated call to it and read out a security #code that you needed to enter to finish activating the account.
Hell, Google used to call me with a login code at every login before I set up TOTP authentication.
But this pharmacy chain doesn't do that. As soon as I selected my phone number, I was logged in, with full access to all of my #prescription information.
9/13 So an attacker can find out exactly what #medications you're taking, what #dose you're taking, and how often you're taking it.
They can see when I last picked up each prescription, and what date it is next available for refill.
They can see exactly which doctor prescribed it.
That is a *lot* of #sensitive #medical information to just give out with essentially no #authentication of the #patient.
Even better, you can order refills, or turn auto-refill on or off.
10/13 This would be a great way to get #medications that have #recreational uses; create an account for a senior with chronic pain issues, and then watch for when their #prescription #opioid becomes available for #refill. Then go pick it up, and hey, if they have #insurance, free #hillbilly #heroin.
Or that twitchy kid - free #Adderall! #Speed for everyone! Why take a chance on unregulated blue #meth when you can get the real thing?
11/13 Access also lets you view the personal information associated with the account, of course.
It goes without saying that this is a huge #violation of the #law; PIPEDA, the Personal Information Protection and Electronic Documents Act (2000), has applied to the health sector in Canada since 2002. [edit: corrected year]
12/13 Unfortunately, that law has no teeth. At best, it can produce a non-binding report containing recommendations. You can then use the report as evidence if you wish to sue, but that's an expensive gamble.
To say I'm #disappointed with this company is an #understatement. But I have to admit, I am not particularly surprised by the existence of this vulnerability, only by its severity and by how badly they failed to include the most basic security precautions.
13/13 This isn't a mom-and-pop operation; it's a very large company. Somehow, this #design got through #meetings and #proposals and #committees and #design and #implementation and #review and #testing, without anyone pointing out this #flaw?
Or, more likely, low-level employees or contractors tasked with building it did see the problem, and maybe even said something, but #management #ignored it.
I will post updates when I have them.
If you can believe it, it gets #worse.
Being privacy-conscious, when I created the account, I turned off all email notification settings (and phone/text settings).
Today, I made a refill request through the website. And then, because of a problem with my insurance company, the system sent me a cleartext email containing the prescription information, including the drug name and dosage, as well as the reason the email was sent.
In unencrypted email. #JFC
I have sent a second #complaint.
@cazabon Just to make sure I get this:
1. open their website
2. pick a name and guess a location and test 16 different combinations of phone number and address (suggested by the website)
3. obtain home address, phone number and prescription history
?
And the ability to order prescription refills in their name, yes. And turn their auto-refill setting for each one off or on.
I haven't tried this, but given how bad the design is, I'm guessing if you get the address wrong, it will stop you there rather than asking for a phone number - so your max guesses would be 8, and of course the average attempts to get in would be 4.
Four.
Security rarely goes with single-digits...
@cazabon Thanks for this info. Good thing you know enough to raise a red flag. Most of us wouldn't. Wonder how they'll respond??
I wonder that too.
I'm guessing it will be one extreme or the other - they'll "OMG!" and temporarily shut it down while they fix it (which I suggested), or they'll #stonewall, #deny the problem, and #threaten me for "#hacking them".