The ramblings of a software engineer

Out in the Open - A Tale of Insecure Public Profiles

Zachary Friss - 1/27/2015

This year for Christmas I got my fiancé a medical ID bracelet. Rather than being engraved with her information, it has an online profile that a first responder or doctor can view in three ways: by scanning a QR code, entering the band ID and pin online or calling the service and providing the ID and pin. After receiving the bracelet and going online to create her profile, we were pleased with just how easy it was to enter information.

As I gave the profile a closer look I saw something curious. The profile page that you are sent to after registering is http://example.com/profile/XXX where XXX is a number. Being the curious web developer I am I decided to check out what would happen if I were to change that number by 1. When I did I was shocked to see that I could access all the information about someone who had registered just before us! I was astounded at how easy it was to view everyone’s personal medical information simply by changing a number in a URL. The information varied from addresses and phone numbers to medical conditions and insurance information.

Read More