Introduction
Security vulnerabilities allow public access to restricted, sealed, and confidential legal documents in court files using only a web browser.
Security Vulnerabilities in Court Record Systems
Security researcher Jason Parker reported that they found sensitive legal documents exposed on the internet and accessible to everyone, through the court record systems themselves.
Court record systems are part of any judicial system, serving to present and store legal documents for criminal trials and civil legal cases. Typically, court record systems are partially available online, allowing anyone to search for and obtain public documents, while restricting access to sensitive legal documents that could compromise a case.
Parker stated that some court record systems used in the United States suffer from simple security vulnerabilities that expose sealed, confidential, and unredacted legal documents to anyone on the web.
Discovery of Security Vulnerabilities
According to Parker, they were contacted in September by someone who read their previous report documenting a vulnerability in Bluesky, the new social network that emerged after the sale of Twitter to Elon Musk. The correspondent informed him that there were two vulnerabilities in American court record systems that expose sensitive legal documents to anyone on the web. The correspondent reported the vulnerabilities to the relevant courts, but they received no response, according to Parker during a call with TechCrunch earlier this month.
After receiving the correspondent’s findings, Parker investigated several affected court record systems. Parker subsequently discovered security vulnerabilities in eight court record systems used in Florida, Georgia, Mississippi, Ohio, and Tennessee.
Parker said: “The first document I encountered was an order from a judge in a domestic violence case. It was an order to grant name changes for children to protect them from the spouse.” He added: “Immediately, my thoughts went to the extreme and stayed there for weeks.”
He continued: “The next document I found in the other court was a full mental health assessment. It was thirty pages in a criminal case and was as detailed as you’d expect; it was from a doctor.”
Impact of Security Vulnerabilities
The vulnerabilities vary in complexity, but all can be exploited by anyone using the developer tools built into any web browser, according to Parker.
Known as “client-side” vulnerabilities, these can be exploited using the browser because the affected system did not conduct the necessary security checks to determine who is entitled to access the sensitive documents stored within.
Parker explained that one vulnerability could be easily exploited by incrementing the document number in the browser address bar in the Florida court record system. He added that another vulnerability allowed anyone to access “without a password automatically” the court record system by adding a six-character code to any username, which Parker found as a clickable link in Google search results.
Addressing the Security Vulnerabilities
With the help of the CERT/CC vulnerability disclosure center and the CISA coordinated vulnerability disclosure team, Parker shared details of nine security vulnerabilities with vendors and relevant courts with the aim of fixing them.
The results were varied, with three technology vendors fixing the vulnerabilities in their court record systems, but only two confirmed to TechCrunch that the patches were in effect.
Catalis, a government technology software company that makes the CMS360 court record system used in Georgia, Mississippi, Ohio, and Tennessee, acknowledged the vulnerability in a “separate secondary application” used by some court systems to allow the public, attorneys, or judges to search the CMS360 data.
Catalis CEO Eric Johnson said in an email to TechCrunch: “We do not have records or logs indicating that confidential data was accessed through that vulnerability, nor have we received any reports or evidence to that effect.” Catalis did not explicitly state whether it retains the specific records needed to rule out inappropriate access to sensitive court documents.
said
Tyler Technologies, a software company, has patched vulnerabilities in its case management unit of the court records system used exclusively in Georgia, according to a spokesperson for Tyler, Karen Shields. The company did not disclose how it reached this conclusion.
Parker stated that Henschen & Associates, a local software company in Ohio providing a court records system called CaseLook across the state, has fixed the vulnerability but did not respond to emails. The head of Henschen, Bud Henschen, did not reply to TechCrunch’s emails or confirm that the company had patched the vulnerability.
Impact of Vulnerabilities in Florida
In their disclosure published on Thursday, Parker also mentioned that they informed five counties in Florida through the state court administrator’s office. It is believed that five courts in Florida have developed their court records systems internally.
It is only known that one county has patched the vulnerability found in their system and has ruled out unauthorized access to sensitive court documents.
Future Challenges
Due to the simplicity of some vulnerabilities, it is unlikely that either Parker or the original reporter are the only individuals who are aware of their potential exploitation.
The other four counties in Florida have not acknowledged the vulnerabilities and have not announced whether they have implemented patches or confirmed their ability to ascertain whether sensitive records were accessed.
Hillsborough County, which includes Tampa, has stated that it will not disclose whether its systems have been fixed following the disclosure made by Parker. A spokesperson for the Hillsborough County Clerk’s Office, Carson Chambers, stated: “The confidentiality of public records is of utmost priority for the Hillsborough County Clerk’s Office. Various security measures are in place to ensure that confidential court records are only viewed by authorized users. We are continuously implementing the latest security enhancements to court systems to prevent this from happening.”
Additionally, Lee County, which includes Fort Myers and Cape Coral, has not disclosed whether it fixed the vulnerability but stated that it reserves the right to take legal action against the security researcher.
Researcher’s Conclusions
Parker’s research represents hundreds of unpaid hours, but it only represents a small fraction of the affected court records systems, indicating that there are at least two other court records systems with unpatched vulnerabilities to date.
Parker expressed hope that the findings from his research will help bring about changes and enhance improvements in the security of government technology applications. He said, “Government technology is broken.”
Source:
https://techcrunch.com/2023/11/30/fidelity-national-financial-cyberattack-contained/
Source: https://techcrunch.com/2023/11/30/us-court-records-systems-vulnerabilities-exposed-sealed-documents/
Leave a Reply