I was with my girlfriend in her apartment and asked me to visit the website of her health care provider, a mutualist named “Circulo Catolico,” to look for information about a doctor’s office hours. She had just told me the URL and before she could tell me her login credentials, I was already inside the system on the website.
The login page had an annoying captcha and I started looking at the source code. I quickly discovered that all I had to do to get rid of that captcha mechanism was to delete a parameter in the URL of the login form, and bingo!
The security features on the website were terrible. Actually I think insecurity was sold as a feature of the application. I discover that by using the “admin” as a user and password for the login I could not only log into the system but could enter the website with administrator privileges. It was a terrible thing!
This meant that he could theoretically have accessed and altered patient health records, added new patients, delved into the company’s financial reports and much more.
In literally 5 minutes I sent an email to the CERT, email@example.com, and reported the security issue, critical, a RED for a triage.
In less than two hours, I received a response saying they had verified that I was right. The response was from the Director of Information Security of the Presidency of Uruguay. That was it.
He asked me if I had a contact in the medical provider, and unfortunately I did, and sent the phone number to the guys from the CERT.
I forgot about the website and its vulnerabilities. The problem was now in hands of others.
In 2015, a year later, I visited that website again and decided to check if there were vulnerabilities again. And guess what?
In 15 minutes, I was able to access all kinds of information stored by the health care provider. I simply modified some URL parameters. It was a Deja Vu scenario.
Again, in 5 minutes I sent another email to the national CERT and informed them of the problem. And again, I forgot about the problem, I had nothing left to do with it.
Would you like to know if the security problems were solved by December 2016? I am not answering that. But you already know the answer…