[{"id":2635949,"date":"2023-11-30T09:05:47","date_gmt":"2023-11-30T17:05:47","guid":{"rendered":"https:\/\/techcrunch.com\/?p=2635949"},"modified":"2023-12-04T13:34:29","modified_gmt":"2023-12-04T21:34:29","slug":"us-court-records-systems-vulnerabilities-exposed-sealed-documents","status":"publish","type":"post","link":"https:\/\/techcrunch.com\/2023\/11\/30\/us-court-records-systems-vulnerabilities-exposed-sealed-documents\/","title":{"rendered":"Security flaws in court record systems used in five US states exposed sensitive legal documents"},"content":{"rendered":"
Witness lists and<\/span> testimony, mental health evaluations, detailed allegations of abuse and corporate trade secrets. These are some of the sensitive legal court filings that security researcher Jason Parker said they found exposed to the open internet for anyone to access, and from none other than the judiciaries themselves.<\/p>\n At the heart of any judiciary is its court records system, the technology stack for submitting and storing legal filings for criminal trials and civil legal cases. Court records systems are often in part online, allowing anyone to search and obtain public documents, while restricting access to sensitive legal filings in which public exposure could compromise a case.<\/p>\n But Parker said some court records systems used across the U.S. have simple security flaws that expose sealed, confidential and sensitive but unredacted legal filings to anyone on the web.<\/p>\n Parker told TechCrunch that they were contacted in September by someone who read their earlier report documenting a vulnerability in Bluesky<\/a>, the new social network that emerged after Twitter’s sale<\/a> to Elon Musk. The tipster told Parker that two U.S. court records systems had vulnerabilities that were exposing sensitive legal filings to anyone on the web. The tipster reported the bugs to the affected courts but said they heard nothing back, Parker told TechCrunch in a call earlier this month.<\/p>\n Equipped with the tipster’s findings, Parker fell down a rabbit hole investigating several affected court records systems. Parker subsequently uncovered security flaws in at least eight court records systems used across Florida, Georgia, Mississippi, Ohio and Tennessee.<\/p>\n “The first document I ran across was an order from a judge in a domestic violence case. The order was to grant name changes for children to basically keep them safe from the spouse,” Parker told TechCrunch, speaking about reproducing the first vulnerability. “Immediately my jaw just went to the center of the earth and stayed that way for weeks.”<\/p>\n “The next document that I found in the other court was a full mental health evaluation. It was thirty-pages long in a criminal case, and it was as detailed as you would expect; it was from a doctor,” they added.<\/p>\n The bugs vary by complexity, but could all be exploited by anyone using only the developer tools built-in to any web browser, Parker said.<\/p>\n These kinds of so-called “client-side” bugs are exploitable with a browser because an affected system was not performing the proper security checks to determine who is allowed to access sensitive documents stored within.<\/p>\n One of the bugs was as easy to exploit as incrementing a document number in the browser’s address bar of one Florida court records system, said Parker. Another bug allowed anyone “automatic passwordless” access to a court records system by adding a six-letter code to any username, which Parker said they found as a clickable link in a Google search result.<\/p>\n With help from vulnerability disclosure center CERT\/CC<\/a> and CISA’s Coordinated Vulnerability Disclosure team<\/a>, which assisted in the coordination of disclosing these flaws, Parker shared details of nine total vulnerabilities<\/a> with the affected vendors and judiciaries in an effort to get them fixed.<\/p>\n What came back was a mixed bag of results.<\/p>\n Three technology vendors fixed the bugs in their respective court record systems, Parker said, but only two firms confirmed to TechCrunch that the fixes took effect.<\/p>\n Catalis, a government technology software company that makes CMS360, a court records system used by judiciaries across Georgia, Mississippi, Ohio and Tennessee, acknowledged the vulnerability in a “separate secondary application” used by some court systems that allows the public, attorneys or judges to search CMS360 data.<\/p>\n “We have no records or logs indicating that confidential data was accessed through that vulnerability, and have received no such reports or evidence,” said Catalis executive Eric Johnson in an email to TechCrunch. Catalis would not explicitly say if it maintains the specific logs it would need to rule out improper access to sensitive court documents.<\/p>\n Software company Tyler Technologies said it fixed vulnerabilities in its Case Management Plus module in a court records system used exclusively in Georgia, the company told TechCrunch.<\/p>\n “We have been in communication with the security researcher and have confirmed the vulnerabilities,” said Tyler spokesperson Karen Shields. “At this time, we have no evidence of discovery or exploitation by a bad actor.” The company did not say how it came to this conclusion.<\/p>\n Parker said that Henschen & Associates, a local Ohio software maker that provides a court records system called CaseLook across the state, fixed the vulnerability but did not respond to emails. Henschen president Bud Henschen also did not respond to emails from TechCrunch, or confirm that the company had fixed the bug.<\/p>\n