HealthVault.
Publicated on :
1213477578
Be well. Un-protected.
As Google, Microsoft jumped on the electronic health bandwagon with HealthVault[1]. HealthVault is the winner of Microsoft's 2008 Trustworthy Computing Privacy Award. And of course, now I am here to smash that utopia of safety because it is anything but safe and secure for customers. They forget that security is a process. This means that if some part of that process fails in security, the whole system fails. So imagine a vulnerability in a system or website that utilizes HealthVault. Basically, it can lead to a compromise on many different levels including obtaining medical information while HealthVault itself maybe relatively secure.
Microsoft has a range of partners that use HealthVault, and already a couple of those partners have websites riddled with vulnerabilities. One of those partners called Kryptiq[2] has an SQL vulnerability on their homepage.
SQL Injection vulnerability example:
http://www.kryptiq.com/XXX.asp?action=XXX&id=100;
http://www.kryptiq.com/XXX.asp?action=XXX&id=100'
That's right folks, an SQL vulnerability on a website that stores/processes your health information through the Microsoft HealthVault program. I contacted Kryptiq and gave them 5 working days to respond based on the RFP full-disclosure policy[3]. They did not respond, which gave me the right to make this public in order to raise awareness and protect people who are using c.q. considering to use their services.
update: I talked to Kryptiq and they say that they are using a third party CMS which contains the SQL injection flaws. They are currently working with the vendor of the CMS to fix the issues as well as implementing a rigorous new security strategy to prevent this from happening again.
As a bonus, here is a LFI (local file inclusion) vulnerability on the TRUSTe site that HealthVault uses:
https://www.truste.org/cgi-htdig/htsearch?config=htdig'your_local_conf_file_here&restrict=&exclude=&method=and&format=
Have a nice time sharing your health records with the rest of the world!
[1]
http://www.healthvault.com/
[2]
http://www.healthvault.com/kryptiq-patientportal.htm
[3]
http://www.wiretrip.net/rfp/policy.html