Security flaws in court records systems used in five US states exposed sensitive legal documents

Lists of witnesses and testimony, mental health assessments, detailed allegations of abuse, and corporate trade secrets. These are some of the sensitive legal court filings that security researcher Jason Parker says they found exposed on the open internet for anyone to access, and none other than the judiciary. itself.

At the heart of any judiciary is the court records system, the technology stack for submitting and storing legal filings for criminal trials and civil legal cases. Court records systems are often partly online, allowing anyone to search and obtain public documents, while restricting access to sensitive legal filings where public exposure could compromise a case. case.

But Parker said some court records systems used across the U.S. have simple security flaws that expose sealed, confidential, and sensitive but unaltered legal filings to even who’s on the web.

Parker told TechCrunch that they were contacted in September by someone who had read their earlier report documenting a vulnerability in Bluesky, the new social network that emerged after the sale of Twitter to Elon Musk. The tipster told Parker that both US court records systems have vulnerabilities that expose sensitive legal filings to anyone on the web. The tipster reported the bugs to the affected courts but said they had not heard back, Parker told TechCrunch in a call earlier this month.

Armed with the tipster’s findings, Parker falls down a rabbit hole investigating several compromised court records systems. Parker later found security flaws in at least eight court records systems used across Florida, Georgia, Mississippi, Ohio, and Tennessee.

“The first document I found was an order from a judge in a domestic violence case. The order was to grant name changes for the children to keep them safe. from the spouse,” Parker told TechCrunch, talking about replicating the initial weakness. “Immediately my jaw went to the center of the earth and stayed that way for weeks.”

“The next document I found in the other court was a full mental health evaluation. It’s thirty pages long on a criminal case, and it’s as detailed as you’d expect; it’s from the doctor,” they added.

The bugs vary in complexity, but all can be exploited by anyone using only the developer tools built into any web browser, Parker said.

These types of so-called “client-side” bugs are exploited by a browser because an affected system does not perform proper security checks to determine who is allowed to access sensitive information. document stored inside.

One of the bugs was as easy to exploit as adding a document number to a browser’s address bar in a Florida court records system, Parker said. Another bug allows anyone “automatic passwordless” access to a court records system by adding a six-letter code to any username, which Parker said they found as a clickable link to a Google search result.

With help from vulnerability disclosure center CERT/CC and CISA’s Coordinated Vulnerability Disclosure teamwho helped coordinate the disclosure of these flaws, Parker shared details of nine common vulnerabilities with affected vendors and the judiciary in an effort to fix them.

What came back was a mixed bag of results.

Three technology vendors have fixed bugs in their respective court records systems, Parker said, but only two companies have confirmed to TechCrunch that the fixes have taken effect.

Catalis, a government technology software company that makes CMS360, a court records system used by judiciaries across Georgia, Mississippi, Ohio, and Tennessee, acknowledged the vulnerability of a “separate secondary application” used by some court systems that allow the public, lawyers, or judges to search CMS360 data.

“We have no records or logs indicating that confidential data was accessed through the vulnerability, and have received no such reports or evidence,” said Catalis executive Eric Johnson in an email to TechCrunch. Catalis would not say clearly whether it maintains specific logs that should rule out improper access to sensitive court documents.

Software company Tyler Technologies says it has fixed vulnerabilities in the Case Management Plus module of a court records system used only in Georgia, the company told TechCrunch.

“We spoke with the security researcher and confirmed the vulnerabilities,” said Tyler spokeswoman Karen Shields. “At this time, we have no evidence of discovery or exploitation by a bad actor.” The company did not say how this happened.

Parker said Henschen & Associates, a local Ohio software maker that provides a statewide court records system called CaseLook, has fixed the vulnerability but did not respond to emails. Henschen president Bud Henschen also did not respond to emails from TechCrunch, or confirm that the company has fixed the bug.

on their disclosure published on Thursday, Parker also said they notified five Florida counties through the state courts administrator’s office. Florida’s five courts are believed to have created their own system of house court records.

Only one county is known to have fixed the vulnerability found in their system and ruled out improper access to sensitive court records.

photo of the Sarasota County courthouse in Florida, one of the counties with an affected court case system

A photo of the Sarasota County Courthouse in Florida, one of the jurisdictions with an affected court records system. Image Credits: Independent Picture Service/Universal Images Group via Getty Images)

Sarasota County says it has fixed a vulnerability in its court records system it calls ClerkNet, which allowed access to documents by adding through serial numbers. document number. In a letter provided by TechCrunch When reached for comment, Sarasota County clerk of circuit court Karen Rushing said a review of its access logs “did not reveal any instances where sealed or confidential information was accessed.” The county disputed the existence of a second error reported by Parker.

Given the simplicity of some of the vulnerabilities, it’s unlikely that Parker or the original tipster were the only people with knowledge of their exploit.

Florida’s four remaining counties have yet to identify the errors, say whether they have implemented fixes, or confirm whether they have the ability to determine whether sensitive records were accessed.

Hillsborough County, which includes Tampa, would not say whether its systems were patched after Parker’s disclosure. In a statement, Hillsborough County Clerk’s spokesman Carson Chambers said: “The confidentiality of public records is a top priority of the Hillsborough County Clerk’s office. Numerous security measures are in place to ensure that those confidential court records can only be viewed by authorized users. We regularly implement the latest security enhancements in the Clerk’s systems to prevent this from happening.”

Lee County, which covers Fort Myers and Cape Coral, also would not say whether it has fixed the vulnerability, but said it reserves the right to take legal action against the security researcher.

When reached for comment, Lee County spokesman Joseph Abreu gave the same boilerplate statement as Hillsborough County, with the addition of a thinly veiled legal threat. “We interpret any unauthorized access, intentional or unintentional, as a potential violation of Florida Statute Chapter 815, and may also result in civil litigation by our office.”

Representatives of Monroe County and Brevard County, where Parker also filed vulnerability disclosures, did not respond to requests for comment.

For Parker, their research totaled hundreds of unpaid hours, but represented only the tip of the iceberg of affected court records systems, noting that at least two other court records systems had the same no vulnerabilities have been identified so far.

Parker said they hope their findings will help make changes and encourage improvements in the security of government technology applications. “Government technology is broken,” they said.

Read more at TechCrunch:

You can contact Zack Whittaker on Signal and WhatsApp at +1 646-755-8849 or via email. You can also contact TechCrunch through SecureDrop.

Leave a comment