America's Frontline Doctors
Hack of Cadence Health tele-medicine platform and Ravkoo Pharmacy used by the right-wing America's Frontline Doctors group to prescribe and distribute ivermectin and hydroxychloroquine as false cures for COVID-19.
- The Intercept: Network of Right-Wing Health Care Providers Is Making Millions Off Hydroxychloroquine and Ivermectin, Hacked Data Reveals
- The Intercept: House Coronavirus Committee Launches Investigation Into Organizations Pushing Hydroxychloroquine, Ivermectin
Explanation of the Hack
The hacker told The Intercept that Cadence Health and Ravkoo were “hilariously easy” to hack. The websites of both companies had broken access controls, one of the most common mistakes in web application security.
The Cadence Health website only validated user input on the client side, not the server side, according to the hacker. This means that when a user accesses the telemedicine site the normal way, by loading the site in their browser, they can only access their own data, but if they write a program that tries to access other data on the server, the server will respond with that data. The hacker simply asked the server for all patient data.
The Ravkoo website had a “hidden admin panel that every user can log in to and view all the data,” according to the hacker. Using this admin panel, the hacker was able to exfiltrate all of the online pharmacy’s prescription data.