Security flaws in court record systems used in five US states exposed sensitive legal documents
Reading Time: 4 minutesWitness lists and testimony, mental health evaluations, detailed allegations of abuse, and corporate trade secrets. These are some of the sensitive legal court filings that security researcher Jason Parker said they found exposed to the open internet for anyone to access, and from none other than the judiciaries themselves.
At the heart of any judiciary is its court records system, the technology stack for submitting and storing legal filings for criminal trials and civil legal cases. Court records systems are often in part online, allowing anyone to search and obtain public documents, while restricting access to sensitive legal filings in which public exposure could compromise a case.
But Parker said some court records systems used across the U.S. have simple security flaws that expose sealed, confidential, and sensitive but unredacted legal filings to anyone on the web.
Equipped with the tipster’s findings, Parker fell down a rabbit hole investigating several affected court records systems. Parker subsequently uncovered security flaws in at least eight court records systems used across Florida, Georgia, Mississippi, Ohio, and Tennessee.
‘The next document that I found in the other court was a full mental health evaluation. It was thirty-pages long in a criminal case, and it was as detailed as you would expect; it was from a doctor,’ they added.
The bugs vary by complexity, but could all be exploited by anyone using only the developer tools built-in to any web browser, Parker said.
These kinds of so-called ‘client-side’ bugs are exploitable with a browser because an affected system was not performing the proper security checks to determine who is allowed to access sensitive documents stored within.
One of the bugs was as easy to exploit as incrementing a document number in the browser’s address bar of one Florida court records system, said Parker. Another bug allowed anyone ‘automatic passwordless’ access to a court records system by adding a six-letter code to any username, which Parker said they found as a clickable link in a Google search result.
With help from vulnerability disclosure center CERT/CC and CISA’s Coordinated Vulnerability Disclosure team, which assisted in the coordination of disclosing these flaws, Parker shared details of nine total vulnerabilities with the affected vendors and judiciaries in an effort to get them fixed.
What came back was a mixed bag of results.
Catalis, a government technology software company that makes CMS360, a court records system used by judiciaries across Georgia, Mississippi, Ohio, and Tennessee, acknowledged the vulnerability in a ‘separate secondary application’ used by some court systems that allows the public, attorneys, or judges to search CMS360 data.
‘We have been in communication with the security researcher and have confirmed the vulnerabilities,’ said Tyler spokesperson Karen Shields. ‘At this time, we have no evidence of discovery or exploitation by a bad actor.’ The company did not say how it came to this conclusion.
In their disclosure published Thursday, Parker also said they notified five counties in Florida by way of the state courts administrator’s office. The five Florida courts are thought to have developed their own court records systems in-house.
Only one county is known to have fixed the vulnerability found in their system and ruled out improper access to sensitive court records.
A photo of Sarasota County Courthouse in Florida, one of the judiciaries with an affected court records system. Image Credit: Independent Picture Service / Universal Images Group via Getty.
Given the simplicity of some of the vulnerabilities, it is unlikely that Parker or the original tipster are the only people with knowledge of their exploitability.
The four remaining Florida counties have yet to acknowledge the flaws, say if they have implemented fixes, or confirm if they have the ability to determine if sensitive records were ever accessed.
Hillsborough County, which includes Tampa, would not say if its systems were patched following Parker’s disclosure. In a statement, Hillsborough County Clerk spokesperson Carson Chambers said: ‘The confidentiality of public records is a top priority of the Hillsborough County Clerk’s office. Multiple security measures are in place to ensure confidential court records can only be viewed by authorized users. We consistently implement the latest security enhancements to Clerk systems to prohibit it from happening.’
Lee County, which covers Fort Myers and Cape Coral, also would not say if it had fixed the vulnerability, but said it reserved the right to take legal action against the security researcher.
When reached for comment, Lee County spokesperson Joseph Abreu provided an identical boilerplate statement as Hillsborough County, with the addition of a thinly veiled legal threat. ‘We interpret any unauthorized access, intentional or unintentional, as a potential violation of Florida Statute Chapter 815, and may also result in civil litigation by our office.’
Representatives for Monroe County and Brevard County, which Parker also filed vulnerability disclosures with, did not respond to requests for comment.
For Parker, their research amounts to hundreds of unpaid hours, but represents only the tip of the iceberg of affected court record systems, noting that at least two other court record systems have similar unpatched vulnerabilities today.
Parker said they hope their findings help make changes and spur on improvements to the security of government tech applications. ‘Gov-tech is broken,’ they said.
- Why ransomware victims can’t stop paying off hackers
- Cyberattack on legal tech provider causing widespread disruption to UK law firms
- Hackers accessed sensitive health data of more than 8 million Welltok patients
Ref: techcrunch
MediaDownloader.net -> Free Online Video Downloader, Download Any Video From YouTube, VK, Vimeo, Twitter, Twitch, Tumblr, Tiktok, Telegram, TED, Streamable, Soundcloud, Snapchat, Share, Rumble, Reddit, PuhuTV, Pinterest, Periscope, Ok.ru, MxTakatak, Mixcloud, Mashable, LinkedIn, Likee, Kwai, Izlesene, Instagram, Imgur, IMDB, Ifunny, Gaana, Flickr, Febspot, Facebook, ESPN, Douyin, Dailymotion, Buzzfeed, BluTV, Blogger, Bitchute, Bilibili, Bandcamp, Akıllı, 9GAG