OpenEMR is an open source electronic health records and medical practice management solution that is widely used in healthcare around the globe. Researchers from Project Insecurity recently uncovered a number of security vulnerabilities including one that allowed attackers to bypass the login page by modifying the URL, potentially exposing patient data.
Upon initial glance, this appears to highlight a risk that exists when the source code to vital software is posted online for public consumption. However, upon further inspection, this scenario clearly outlines how valuable third-party security research can be for improving the security of open source software. After identifying these problems, the research team disclosed them to the OpenEMR project team who then resolved the issues within two weeks, well before the vulnerabilities were publicly announced. It’s impossible to tell if malicious actors have already exploited these problems, but this story clearly illustrates the value of more eyes leading to bug fixes.