MyCarePlanner 2.2.0 - third-party endpoint credentials are cached for all users, across sessions and browser restarts, potentially exposing healthcare data to unauthorized users #406
While debugging into issue #405 in Microsoft Edge, I observed the following behavior:
Authenticate to MyChart POC as rosefhir
Launch MyCarePlanner
Connect to Cerner Sandbox as a third-party endpoint
Authenticate as Wilma Smart (wilmasmart) user there
Wilma Smart's data is brought into the MyCarePlanner app
Authenticate to MyChart POC as andrew
Launch MyCarePlanner
Connect to Cerner Sandbox as a third-party endpoint
Wilma Smart's data is brought immediately into the MyCarePlanner app, bypassing authentication
It appears that a third-party endpoint's credentials are being cached in the browser, but appears to not tie those credentials to the authenticated user (rosefhir, andrew), nor to the active session / tab, nor are those credentials cleared when the tab or browser is closed.
That is, performing one operation (steps 1-5) in one browser tab, and then performing the remaining operations (steps 6-9) in another tab, the credentials are shared across tabs in the same way.
Further, cached credentials are verified persisted and shared between closing the browser and reopening it, and loading MyCarePlanner for an entirely separate user.
Someone could use a browser to authenticate and load their third-party data, then close their browser, then someone else could come along and open the browser and load MyCarePlanner for themselves, and if they try to load the same third-party endpoint data for themselves, it will instead immediately load the previous user's data without requiring authentication.
This means that any user logging into the MyCarePlanner app using the same browser will obtain previously-obtained credentials to third-party providers, potentially exposing healthcare data to unauthorized users.
While debugging into issue #405 in Microsoft Edge, I observed the following behavior:
It appears that a third-party endpoint's credentials are being cached in the browser, but appears to not tie those credentials to the authenticated user (rosefhir, andrew), nor to the active session / tab, nor are those credentials cleared when the tab or browser is closed.
That is, performing one operation (steps 1-5) in one browser tab, and then performing the remaining operations (steps 6-9) in another tab, the credentials are shared across tabs in the same way.
Further, cached credentials are verified persisted and shared between closing the browser and reopening it, and loading MyCarePlanner for an entirely separate user.
Someone could use a browser to authenticate and load their third-party data, then close their browser, then someone else could come along and open the browser and load MyCarePlanner for themselves, and if they try to load the same third-party endpoint data for themselves, it will instead immediately load the previous user's data without requiring authentication.
This means that any user logging into the MyCarePlanner app using the same browser will obtain previously-obtained credentials to third-party providers, potentially exposing healthcare data to unauthorized users.