A cybersecurity researcher claims to have discovered potentially serious vulnerabilities in several e-filing and record management systems used by government organizations in the United States.
The researcher, Jason Parker, has been responsibly disclosing his findings to the impacted organizations and software vendors for the past year, and he is now making public details on the various vulnerabilities he discovered.
The security holes exposed court records and other types of information. The products in which he found vulnerabilities are used in Georgia, Florida, Ohio, Arizona, South Carolina, and other states.
A majority of the vendors alerted by the researcher seem to have addressed the vulnerabilities, although some did a poor job when it came to communicating, according to Parker.
One report describes vulnerabilities found in several public court record platforms, which allowed unauthorized access to “sealed, confidential, unredacted, and/or otherwise restricted case documents”. The security holes impacted products from Catalis, Henschen & Associates, and Tyler Technologies, as well as several platforms developed internally by county courts.
Sensitive court data was also exposed by a vulnerability in the Thomson Reuters C-Track eFiling product.
In Granicus’ eFiling product and the company’s GovQA public records management solution the researcher discovered several vulnerabilities. The eFiling weaknesses allowed access to all case filings, and enabled attackers to obtain user information and tamper with user accounts. The GovQA flaws leaked usernames and emails, enabled attackers to reset any password, and exposed confidential records.
In Catalis’ EZ-Filing e-filing platform the researcher found vulnerabilities exposing contact information and documents containing confidential medical information, but exploitation required authentication.
Advertisement. Scroll to continue reading.
Parker also found that a vulnerability in Georgia’s voter registration cancellation portal allowed unauthorized individuals to submit a cancellation request without proper identity verification.
One of the vulnerabilities impacts the BluHorse Jail Management System, an inmate records platform used in over a dozen prisons in the United States. According to the researcher, the flaw leaked personal data on inmates and officers.
In an officer complaints platform used by the NYPD, the researcher found security holes allowing access to the admin dashboard.
“These findings reveal critical security weaknesses that could allow attackers to access confidential information, manipulate legal filings, and compromise personal data across several key systems,” Parker wrote in a blog post summarizing his findings.
“These systems play a critical role in the judicial process, managing everything from legal cases to public records on behalf of government agencies. However, beneath their essential functions, these platforms harbor vulnerabilities that could be exploited with ease — even by attackers with minimal technical expertise, thus underscoring the fragility of systems meant to safeguard our most sensitive public records,” he added.
Related: JAVS Courtroom Audio-Visual Software Installer Serves Backdoor
Related: Phone Lines Down in Multiple Courts Across California After Ransomware Attack
Related: California Officials Say Largest Trial Court in US Victim of Ransomware Attack