Security researcher Jason Parker has uncovered significant vulnerabilities in U.S. court records systems, exposing sealed, confidential, and sensitive legal filings to potential public access. Court records are the backbone of any judiciary, handling legal documents for criminal trials and civil cases. While some documents are publicly accessible, sensitive filings must remain confidential to preserve case integrity.
Parker's investigation began when they were contacted by an informant who had read their previous report on a vulnerability in Bluesky, the social network that emerged after Twitter's sale to Elon Musk. This informant revealed two U.S. court records systems with vulnerabilities that left sensitive legal filings exposed. Despite reporting the bugs, they received no response from the affected courts.
With this tip, Parker embarked on an investigation, uncovering security flaws in eight court records systems used in Florida, Georgia, Mississippi, Ohio, and Tennessee. These vulnerabilities were accessible via standard web browsers, making them easy to exploit. One flaw allowed unauthorized access by incrementing document numbers in the browser's address bar. Another provided "automatic passwordless" access through a clickable link found in a Google search result.
Parker shared their findings with the affected vendors and judiciaries, working with vulnerability disclosure centers to coordinate fixes. While three technology vendors acknowledged and fixed the bugs, only two confirmed the effectiveness of the remedies.
Catalis, the developer of CMS360 used across multiple states, acknowledged the vulnerability but claimed no evidence of confidential data access. Tyler Technologies fixed vulnerabilities in its Case Management Plus module but offered no evidence of exploitation. Henschen & Associates, an Ohio software maker, fixed the bug but did not respond to inquiries.
Parker also notified five Florida counties through the state courts administrator's office. Only Sarasota County confirmed the fix and ruled out improper access to sensitive court records. The other four counties remain unresponsive, leaving the extent of potential data breaches unclear.
Paul Bischoff, Consumer Privacy Advocate at Comparitech shared that data may have been stolen and it just may not be discovered yet: "Catalis, the software company that makes the court records system, told TechCrunch that it has no evidence that confidential data was accessed as a result of the exposure. But a lack of logs doesn't mean it didn't happen. Our honeypot experiments show that publicly exposed databases can be discovered by attackers within hours and targeted dozens of times per minute. The parties involved should work under the assumption that the data was stolen."
Parker's discoveries, while alarming, may only scratch the surface of vulnerable court record systems. They hope their findings will drive improvements in the security of government tech applications, shedding light on the vulnerabilities plaguing the government technology sector.
Comments