STE WILLIAMS

Oh, baby! Newborn-care website leaves database of medics wide open

A US health company apparently exposed on the public internet contact information for hundreds of medical professionals.

IT pro Brian Wethern says he told medical company Health Stream nine days ago that one of its now-removed websites had left its database of users out in the open, allowing anyone to slurp the first and last names of medics, and their email addresses and ID numbers, on its Neonatal Resuscitation Program.

We’re withholding the URL of the leaky website at this stage because its data is lingering in online caches.

Wethern tells The Register he believes the company used the database to deliver messages from instructors to students – for example, to set up or confirm a class. The site hosting the information was taken offline shortly after Wethern reported it, and remains inaccessible.

Spear-phishing opportunities

Had the data been accessed and copied by the wrong person, the email addresses could have been used for specific attacks on relatively high-value targets: medical professionals and instructors. More importantly, says Wethern, the fact that such a database was left open to the public wouldn’t bode well for security on other parts of the site.

“What I found was a front-side database,” Wethern explained. “I don’t need their passwords … because I have the frontside database.”

Health Stream did not return multiple requests for comment, so we are unable to get their side of the story. Wethern says he last heard from the company eight days ago when they sent their first and only response to his notifications.

Now, Wethern says, he’s going public in the hope other companies will be a bit more forthcoming and responsive to researchers who discover these sorts of data leaks.

“Hire a basic researcher, first and foremost. Allow your company to budget for these types of intrusions,” Wethern explains.

“And before this all happens, make sure to have a data breach summary in place. Be current with bug bounty programs, own up to your mistakes, and honor the fact that security researchers can be good people out to do good things.” ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/20/oh_baby_health_site_leaves_nrp_database_sitting_out_in_the_open/

  • 21/04/2018
  • adm
Comments are closed.