Your dentist is probably using horribly insecure patient software

You might now have one extra reason not to want to go to the dentist.

Advisories have been issued over three sets of software commonly used by dentists, after a security researcher found hard-coded credentials that could give an attacker full access to patient data.

The advisories, posted in Carnegie Mellon University's public vulnerability database (CERT), said that in all cases an attacker could remotely get administrative or root access to the software if they know the credentials.

CERT said in Tuesday's advisories that all versions of Dentsply Sirona CDR DICOM, a dental records management software, are affected by the issue. Similarly, Open Dental, which also manages dental records, uses a MySQL database that also comes with a default blank password.

On Wednesday, CERT issued its third near-identical advisory for Dexis Imaging Suite 10. The company advised users to update the database's credentials. Newer versions of the software don't use hard-coded credentials.

The scale of the problem could be huge, given how many dentists' offices use the named software.

According to Sirona's website, the company serves dozens of government customers, including Navy clinics, Veteran Affairs medical centers, the US Army, and the US Air Force, which combined could come to several hundred thousand patients.

Meanwhile, Open Dental, as free and open-source software, is available for anyone to download. It's reported that over 4,000 dental offices use the software.

It's not clear exactly why the software suites designed their software's security in that way.

We reached out to Sirona but didn't hear back at the time of writing. According to both advisories, there were no statements from the companies ahead of disclosure, about a month earlier.

Open Dental Chief Executive Nathan Sparks disputed the findings in an email to ZDNet, calling them "factually false", arguing that the default blank password can be changed.After publication, CERT updated its advisory to reflect that the issue related to a "blank" default password rather than a "hard-coded" password.

"We do still consider default blank passwords a security issue that may be corrected in other ways," said Garret Wassermann, a CERT vulnerability analyst, in an email.

Justin Shafer, a Texas-based dental computer technician, was credited with finding the three flaws.

Shafer earlier this year made headlines when the FBI conducted a raid on his home after he disclosed a flaw in Dentrix dental software.

Updated at 4:20pm: New comments and statement from CERT and Open Dental.

THIS YEAR IN HACKS

MySpace hack puts another 427 million passwords up for sale

A hacker claims to be selling millions of Twitter accounts

One of the biggest hacks happened last year, but nobody noticed

171 million VK.com accounts stolen by hackers

Hacker puts 51 million file sharing accounts for sale on dark web

Ubuntu Forums hack exposes 2 million users

Oracle investigating data breach at Micros point-of-sale division

Epic's forums hacked again, with thousands of logins stolen

Millions of Steam game keys stolen after hacker breaches gaming site

Hackers stole 43 million Last.fm account details in 2012 breach

• MySpace hack puts another 427 million passwords up for sale
• A hacker claims to be selling millions of Twitter accounts
• One of the biggest hacks happened last year, but nobody noticed
• 171 million VK.com accounts stolen by hackers
• Hacker puts 51 million file sharing accounts for sale on dark web
• Ubuntu Forums hack exposes 2 million users
• Oracle investigating data breach at Micros point-of-sale division
• Epic's forums hacked again, with thousands of logins stolen
• Millions of Steam game keys stolen after hacker breaches gaming site
• Hackers stole 43 million Last.fm account details in 2012 breach