In January 2018, I discovered a security hole on www.cvs.com:
- Log into the site as user A with the “Remember me?” box checked.
- Log out.
- Log into the site again as user B.
- Observe that you are now logged into the site as user A, not user B.
The security implications of this are that if you log into cvs.com on a shared computer and then log out, someone else subsequently using the same computer could log into their cvs.com and gain access to your private information, including, e.g., your prescriptions.
This is relevant both for shared computers in homes, and also for shared computers in public settings (hotel lobbies, internet cafés, etc.). While it’s true that people should not check the “Remember me?” box on a public computer, people make mistakes, and clicking “Logout” after realizing that such a mistake has been made should certainly be sufficient to correct it!
CVS does not appear to run any sort of bug bounty program. They do not appear to publicly advertise any mechanism for reporting security issues to them. In short, they make it quite difficult for someone who has discovered a security issue to report it to them.
Nevertheless, I persisted. First, I searched on LinkedIn for 2nd-degree connections that work at CVS and asked my 1st-degree connections who knew them to introduce me. Through this method I was able to obtain the email address of a product manager at CVS Health, whom I emailed on January 9 with details about the security issue. He never responded to my email.
Next, a CVS employee who asked not to be named here was able to obtain for me the email address of CVS Health’s Security Operations Center. I forwarded my report to that email address on January 9 as well. They never acknowledged it.
Having heard nothing back, on January 11 I emailed customercareorderupdate@cvscaremark.com, an email address I had on file from previous customer-service interactions with CVS, provided them with the details of the security hole, and asked them to escalate it through the appropriate channels. They responded the same day, “…we have escalated the information provided to our Technical Support Group for investigation. Once we receive a response we will contact you with their reply.” That was the last I heard from them.
I just checked the web site again today, and the issue has been fixed.
I have no idea if my multiple attempts to report the security issue to them ever made it to anyone in a position to do something about it. I have no idea if they just happened to coincidentally fix the issue I reported after I reported it, or if the timing of the fix is related to my report. I have no idea about any of this because CVS could not be bothered to extend the simple courtesy of acknowledging the effort someone made to responsibly disclose to them a significant security issue on their web site.
Shame on you, CVS.
