Holidaying in India and I'm stupidly glad I didn't grow up living on a traffic island in a large intersection. Lots about this place is wonderful but there always that undercurrent of brutal systemic factors...

I saw today on RNZ about the manage my health hack that it was a single module that had been exploited via a valid password. Presumably they weren't limiting or sanitizing input, allowing lateral retrieval of others' records? I was curious if there were any more details around it?

I've only been vaguely aware if what's going on... For MMH, the timing is probably fairly convenient with everyone enjoying summer rather than reading the news at work?

[–] wSkV26vM4H@lemmynsfw.com 4 points 3 weeks ago

I don't have any insider information so I'm just spitballing here :D but I have worked in health IT field before and I'm not even a little surprised that bugs like these exist - and have been exploited.

Poor authorisation handling bug is quite common. Authentication is largely a solved problem what with OAuth (not that a lot of NZ health IT providers use it...... sigh) but each software developer still has to solve the problem of authorisation. And it's just all too easy to forget that random IDs are not secure and are not even random.

[–] MadPsyentist@lemmy.nz 2 points 3 weeks ago

Sounds like a case of enumeration. Login to your account and get sent to www.nzhealthsite.nz/loggedin/1234 then go and manually edit the url to www.nzhealthsite.nz/loggedin/1235

the site is only checking that you have logged in and are allowed to be in the secure area and not checking what information you are allowed to have.