44
mirzoz
4y

A month ago I had some medical tests, the next morning, the clinic's send a email with my results. Oh surprise, unbelievable security flaws. They sent me a link without any kind of authentication, token, or security. I looked at my results, and by entering consecutive and random numbers I was able to download a lot of results and folders of other patients. I wrote an email to the clinic informing them of this situation and their response was "Thank you". Today I have accessed the link and the error is still present. I am going to notify higher health authorities.

Comments
  • 19
    Please keep us updated, leak it to the news
  • 6
    @alexbrooklyn of course bro
  • 17
    @mirzoz Of course, do it anonymously before getting sued for hacking because morons think that prosecution threats is what keeps the bad guys from stealing data.
  • 25
    1) Not sure what country you’re in but chances are you just admitted in writing to committing a fairly serious crime.

    2) don’t get me wrong I understand the intention, worked in cyber security until recently (developed software for red team use). Just probably don’t download confidential medical records and then put that in writing to make a point. I’ve seen a lot of sad stories that started that way. There are other ways to go about expressing concern

    3) please please don’t publicly leak a vulnerability that allows people to easily access private medical records. I know a lot of that software is old and broken and doesn’t require much knowledge to exploit, but no need to tell even more people how to do it. There are much safer ways to pressure a company to fix their shit

    Stay safe and ethical out there friend ❤️
  • 7
    Be careful about this cause if someone else exploits this, you might be on the hook for it. Seen a similar situation in an op-sec ted talk.
  • 15
    @demoralizeddev Thanks, and thank you people. I wrote to the clinic again. They told me that they contacted their outside provider to fix the error. They told me not to worry because they were working on it but couldn't shutdown the app 'cause a thousands of results they have to deliver in this pandemic. Which is understandable. They thanked me and gave me the anemia treatment (which came up on the test as a diagnosis) for free.
  • 7
    Be careful or you're going to be the next episode of Darknet Diaries.
  • 3
    May I add the advice that you carpet bomb all the big names, never just one or two. You could conceivably be saving a life.
  • 5
    @mirzoz that's great to hear! I'm glad they gave you a solid reason and didn't just cast you to the wind.
  • 1
    @rearendengineer lol! Right! I was just thinking that
  • 0
    Welcome to the CLUB
Add Comment