Healthcare.gov site advertising SQL injection attacks

healthcare injection

Via Alex Hern on Twitter, we find that the Obamacare website has attempted website attacks in its search box, automatically prompted for you if you type or mistype the right letters or punctuation.

This tells us a few things: there is a lack of polish in the Healthcare.gov website, there are many people who want to break into the website, and there isn’t much confidence in the security of the website. All of these things should be troubling to people with data in that system.

For the curious, let me explain what’s going on with these searches. These searches are attempting variants on a website attack called an SQL Injection attack. SQL is a programming language used very commonly for databases attached to websites, storing information used by the site.

Sites that store information in databases need to take input from the user (such as a URL, or a search box) and put that into a request to the database. The text from the public has to go into the SQL. That’s a problem, because malicious users who understand SQL could put SQL into their searches, running whatever commands they want on the database.

There are ways to fix that, though. The programmer can pre-process the text from the user to remove any ability to harm or control the database. It’s not always easy, because attackers can be tricky, but it’s a solved problem. Sanitizing inputs is a known, defined problem with known, defined solutions at this point. Any website worth anything should be using it, as long as the developers are competent at all.

However, people don’t have much confidence in the government to be fixing this properly. Randall Munroe made light of the problem way back in 2007. So what we’re seeing is that many, many people are attacking Healthcare.gov to test for these basic exploits, enough that the attacks are being suggested in the autocomplete feature!

Further, that the autocomplete feature is not hiding these searches suggests that the developers didn’t even consider that users may attempt these attacks, that the attacks aren’t being hidden in the way that profanities are. So we’re left to wonder: what other attacks didn’t they think about?

If I had data in that website, I would be troubled by this.

Get Alerts