Friday, August 9, 2013

Trusted Partners, verify yourself.

I had submitted a talk for the mHealthSummit to discuss security for mobile health. Sadly the talk wasn't accepted. With that, I wanted to discuss the first point I was going to make: Validate your SaaS (Software as a Service).

I already had an account created to submit a talk, couldn't remember my password, so I performed a password reset request. mHealthSummit uses a third party tool, Precis Central to collect presentations.

This is the email that arrived in my inbox after requesting the password.

I was flabbergasted - that in 2013 an organization was still saving passwords in plain text.

Let alone, a health care entity was leveraging a system which stored passwords in plain text. I emailed mHealthSummit and it looks as if they forwarded the issue along to Precis, as today I performed a password reset request and received a link to manually change my password.

Now, this doesn't mean that Precis is now storing passwords in an encrypted fashion. They could have very will "fixed the problem" of emails going out with plain text passwords. So, while seemingly one vulnerability was addressed, we have no idea if the underlying issue of storing plain text passwords was addressed.

Moral of this story is, you need to thoroughly vet any SaaS which you leverage. This is especially true if you are in the medical field.