Security flaws discovered at health insurance site

The Ameli.fr site suffered from two major security vulnerabilities.

One of the security flaws could allow anyone who knows how to do it to access the mail received and issued by the insured. The revelation was made by the website Nextinpact, which specializes in IT-related cases.

This article will also interest you: Travel data collected by the French National Police

According to the websites: "It was enough to change the number of pdf files sent as attachments to the URL for access to letters to other policyholders." And of course these letters being a true source of information because they were able to learn about certain information such as "names, first names, addresses, social security numbers, requests for documents and information, certificates of care or refusal of care and sometimes attachments (including work stoppages)" Nextinpact.

this security vulnerabilities could not, of course, "target a target of a individual in particular." However, it was possible to consult letters from a set of policyholders and this in quantity. The website states that security breach was reported by a reader who also confirmed that he had informed National Information Systems Security Agency. On the other hand, the press service of the CNAM (National Health Insurance Fund) also been informed.

According to this last, the flaws security would have been brought under control and filled.However the two security flaws were not discovered at the same time. Indeed, the news site claimed that it was after having reported the security breach and that the security breach was filled by the state institution, which the second has been updated.Unlike the first one, which allowed access to the letters of the insured second presented itself as "a dozen custom pages of registration confirmation [sur Ameli.fr]showing names and surnames insured. ». This page being then referenced the Google search engine anyone could access it without any problem.

"The oldest page was archived on September 15, the most recent this Sunday, December 8, and therefore after the first problem was corrected. Nextinpact noted. According to the information gathered, this problem was obviously due to "the bot files.txt, which are supposed to tell the robots w[de Google]hat it is permissible (or forbidden) to index. ». There has been an absence of this file in the relevant pages.

In addition, the National Health Insurance Fund publicly notified that they had "made the necessary corrections and asked Google deleting pages that had been so referenced and that two faults are of different origin and nature. ». This seems to be a good news, however, according to the news website, that "the .txt file had still not been corrected. "Despite the statement by the CNAM. This is how she explains this by meaning that " its legal services have asked Google to remove the links confirmation of the opening/closing of archived accounts, a request that has not been not yet completed and that these links do not allow access to the spaces policyholders' staff. (…) There is still room for improvement in terms of the process of validating the emails of policyholders who create a personal account on Ameli to prevent the fault from happening again, and that it will be done January"

to complete the National Health Insurance Fund flew assured that "The anomaly found could not have been exploited for malicious purposes because there was no way to fetch specific information about a particular person, nor to target a type of room." That there was no real danger and that the concern can now be lifted.

Now access an unlimited number of passwords: