SQL Injection / Hacking on Healthcare.gov

Written by Alex J Fierro

Let's file this under "why we can't have nice things...".

The search box on http://www.healthcare.gov autocompletes to show previous searches. It is currently showing evidence of hacking attempts.

As you can see from the screenshot in the banner, typing in ";" into the search box on the affordable health act website results in some extremely bizarre search history results. These results include ";select * from users", ";show tables;" and ";select * from *;". To the unaware, those are attempts to hack the website using what is known as SQL injection.


More evidence of repeated hacking attempts when you search "'".

I won't go into the ins and outs of what exactly SQL injection is as many articles have gone over it in great detail. Basically, when you search for something on a website, the data you enter is put into a database command in order to grab the search results out of the database. If the programmers who created the website aren't very knowledgeable (or just lazy) and don't account for security risks, it is possible for someone to get a copy of the entire database by entering in these malicious code snippets. Now, it is important to note that this does not seem to be the reason that Healthcare.gov has been having a ton of issues lately. It also doesn't appear that these methods of SQL injection have penetrated the website's security.

It is, however, an interesting case study in showing that high profile websites that garner criticism are certainly more susceptible to vitriolic attacks from "hackers". Protect your website even if you aren't a high-risk target like the Obamacare site. Read up on SQL injection and take steps to prevent hackers from intruding on your data!


Courtesy of XKCD