Security Advisory – Online Pharmacy

Yakov Shafranovich found a vulnerability that exposed patients’ prescription histories to others as long as the other(s) had their full name and date of birth:

During the signup process, prompts users for their identifying information. In the end of the signup rocess, the user is shown a list of their existing prescriptions in all other pharmacies in order to make the process of transferring them to easier.Testing has shown that the prescription history is looked up by full name and birthdate alone, with the other information provided not used for validation of user’s identity.

Read more on his blog. The Pharmacy corrected the problem promptly when notified.

About the author: Dissent

Comments are closed.