Security flaws in court record systems used in five US states exposed sensitive legal documents


Witness lists and testimony, mental health evaluations, detailed allegations of abuse and corporate trade secrets. These are some of the sensitive legal court filings that security researcher Jason Parker said they found exposed to the open internet for anyone to access, and from none other than the judiciaries themselves.

At the heart of any judiciary is its court records system, the technology stack for submitting and storing legal filings for criminal trials and civil legal cases. Court records systems are often in part online, allowing anyone to search and obtain public documents, while restricting access to sensitive legal filings in which public exposure could compromise a case.

But Parker said some court records systems used across the U.S. have simple security flaws that expose sealed, confidential and sensitive but unredacted legal filings to anyone on the web.

Parker told TechCrunch that they were contacted in September by someone who read their earlier report documenting a vulnerability in Bluesky, the new social network that emerged after Twitter’s sale to Elon Musk. The tipster told Parker that two U.S. court records systems had vulnerabilities that were exposing sensitive legal filings to anyone on the web. The tipster reported the bugs to the affected courts but said they heard nothing back, Parker told TechCrunch in a call earlier this month.

Equipped with the tipster’s findings, Parker fell down a rabbit hole investigating several affected court records systems. Parker subsequently uncovered security flaws in at least eight court records systems used across Florida, Georgia, Mississippi, Ohio and Tennessee.

“The first document I ran across was an order from a judge in a domestic violence case. The order was to grant name changes for children to basically keep them safe from the spouse,” Parker told TechCrunch, speaking about reproducing the first vulnerability. “Immediately my jaw just went to the center of the earth and stayed that way for weeks.”

“The next document that I found in the other court was a full mental health evaluation. It was thirty-pages long in a criminal case, and it was as detailed as you would expect; it was from a doctor,” they added.

The bugs vary by complexity, but could all be exploited by anyone using only the developer tools built-in to any web browser, Parker said.

These kinds of so-called “client-side” bugs are exploitable with a browser because an affected system was not performing the proper security checks to determine who is allowed to access sensitive documents stored within.

One of the bugs was as easy to exploit as incrementing a document number in the browser’s address bar of one Florida court records system, said Parker. Another bug allowed anyone “automatic passwordless” access to a court records system by adding a six-letter code to any username, which Parker said they found as a clickable link in a Google search result.

With help from vulnerability disclosure center CERT/CC and CISA’s Coordinated Vulnerability Disclosure team, which assisted in the coordination of disclosing these flaws, Parker shared details of nine total vulnerabilities with the affected vendors and judiciaries in an effort to get them fixed.

What came back was a mixed bag of results.

Three technology vendors fixed the bugs in their respective court record systems, Parker said, but only two firms confirmed to TechCrunch that the fixes took effect.

Catalis, a government technology software company that makes CMS360, a court records system used by judiciaries across Georgia, Mississippi, Ohio and Tennessee, acknowledged the vulnerability in a “separate secondary application” used by some court systems that allows the public, attorneys or judges to search CMS360 data.

“We have no records or logs indicating that confidential data was accessed through that vulnerability, and have received no such reports or evidence,” said Catalis executive Eric Johnson in an email to TechCrunch. Catalis would not explicitly say if it maintains the specific logs it would need to rule out improper access to sensitive court documents.

Software company Tyler Technologies said it fixed vulnerabilities in its Case Management Plus module in a court records system used exclusively in Georgia, the company told TechCrunch.

“We have been in communication with the security researcher and have confirmed the vulnerabilities,” said Tyler spokesperson Karen Shields. “At this time, we have no evidence of discovery or exploitation by a bad actor.” The company did not say how it came to this conclusion.

Parker said that Henschen & Associates, a local Ohio software maker that provides a court records system called CaseLook across the state, fixed the vulnerability but did not respond to emails. Henschen president Bud Henschen also did not respond to emails from TechCrunch, or confirm that the company had fixed the bug.

In their disclosure published Thursday, Parker also said they notified five counties in Florida by way of the state courts administrator’s office. The five Florida courts are thought to have developed their own court records systems in-house.

Only one county is known to have fixed the vulnerability found in their system and ruled out improper access to sensitive court records.

a photo of Sarasota County courthouse in Florida, one of the counties with an affected court case system

A photo of Sarasota County Courthouse in Florida, one of the judiciaries with an affected court records system. Image Credits: Independent Picture Service / Universal Images Group via Getty.

Sarasota County said it had fixed a vulnerability in its court records system it calls ClerkNet, which allowed access to documents by incrementing through numerically sequential document numbers. In a letter provided to TechCrunch when reached for comment, Sarasota County clerk of the circuit court Karen Rushing said the review of its access logs “revealed no occurrences where sealed or confidential information was accessed.” The county disputed the existence of a second flaw reported by Parker.

Given the simplicity of some of the vulnerabilities, it is unlikely that Parker or the original tipster are the only people with knowledge of their exploitability.

The four remaining Florida counties have yet to acknowledge the flaws, say if they have implemented fixes, or confirm if they have the ability to determine if sensitive records were ever accessed.

Hillsborough County, which includes Tampa, would not say if its systems were patched following Parker’s disclosure. In a statement, Hillsborough County Clerk spokesperson Carson Chambers said: “The confidentiality of public records is a top priority of the Hillsborough County Clerk’s office. Multiple security measures are in place to ensure confidential court records can only be viewed by authorized users. We consistently implement the latest security enhancements to Clerk systems to prohibit it from happening.”

Lee County, which covers Fort Myers and Cape Coral, also would not say if it had fixed the vulnerability, but said it reserved the right to take legal action against the security researcher.

When reached for comment, Lee County spokesperson Joseph Abreu provided an identical boilerplate statement as Hillsborough County, with the addition of a thinly veiled legal threat. “We interpret any unauthorized access, intentional or unintentional, as a potential violation of Florida Statute Chapter 815, and may also result in civil litigation by our office.”

Representatives for Monroe County and Brevard County, which Parker also filed vulnerability disclosures with, did not respond to requests for comment.

For Parker, their research amounts to hundreds of unpaid hours, but represents only the tip of the iceberg of affected court record systems, noting that at least two other court record systems have similar unpatched vulnerabilities today.

Parker said they hope their findings help make changes and spur on improvements to the security of government tech applications. “Gov-tech is broken,” they said.

Read more on TechCrunch:

You can contact Zack Whittaker on Signal and WhatsApp at +1 646-755-8849 or by email. You can also contact TechCrunch via SecureDrop.


Source link