Sermo’s security controversy

Both Medgadget and PsychCentral write about exploiting a vulnerability in physician-only site Sermo:

In the physician community, there’s been a fair amount of buzz about a physician’s-only community (or “social network,” if you prefer) called Sermo. I was curious as to how strong their registration system was to prevent non-physicians from subscribing to the service, which is free and open to all physicians that have either an M.D. or a D.O. (and a DEA prescribing number). So I asked a technology and security consultant friend of mine to check it out.

His findings didn’t surprise me. It took him five minutes and only two tries to register a valid physician account at Sermo, even though he isn’t a physician. He used information freely available on the Internet to register as someone who was a legitimate physician.

Prev
Next