Uncovering 0-days in Healthcare Management Applications


OpenEMR is the most popular open-source medical practice management, electronic medical records, prescription writing and medical billing application used by Healthcare Professionals. Security researchers from Project Insecurity and SonarSource had reported numerous vulnerabilities in OpenEMR application prior to 2021.

However, BAE Systems Vulnerability Research team took up the challenge to uncover more vulnerabilities in the same application. To our surprise, we still found a huge number of high impact vulnerabilities inside the application recently. These vulnerabilities could potentially expose medical records and other sensitive patient data, to tampering of the billing information and administrator functionalities by unauthorized personnel. The security flaws were discovered by combining both manual source code analysis and white box testing.

In this talk we will share our experiences of uncovering over 60 vulnerabilities resulting in 8 public CVEs. We will share the key findings (subject to pending patch rollout) and challenges in hunting for OpenEMR VDP. It is our hope that this talk will enable other researchers to get involved in Vulnerability Research and help make the Internet a safer place.

Speakers Information

Aden Yap Chuen Zhen

Aden is a penetration tester with BAE Systems based in Malaysia and has 6 years of experience in the field of Cybersecurity. He is responsible for delivering red teaming exercise and various penetration testing for numerous industries and reported critical vulnerabilities in their application and infrastructure. He holds CRTO, OSCP, CREST-CRT, CEH and industry certifications. Apart from projects, He also contributed in bug bounty program for health and financial industries and vulnerability research program for internet spaces.

Sheikh Rizan

Rizan is a passionate information security professional with more than 20 years of experience. He loves anything Linux or open-sourced. He had spent over 13 years securing one of the largest oil and gas company in the world from cyber threats. He holds several industry relevant certifications including OSCP, OSCE, OSWE, and Burp Certified Practitioner & CISSP. He had reported security bugs to the US Department of Defense (US DoD), Spotify, Amazon, General Motors, Toyota, Alibaba, Airbnb, Dell, Starbucks & Rockstar Games.

Muhammad Ali Akbar

Ali started his first step in Cybersecurity while participating in Capture The Flag (CTF) competitions. From that, he develops more interest in cybersecurity skills by writing a blog, creating a tool and joining CTF globally and locally. He is a penetration tester with BAE Systems based in Malaysia and has reported several critical vulnerabilities to his clients. He also holds OSCP, CRTO, and CREST-CRT industry certifications. Ali also has contributed back the knowledge he gained to local students in Malaysia and will continue doing so in the future.

View Full Schedule

Subscribe to Our Mailing List

Join our community mailing list for updated on conference annoucements, important dates and discussions.