A shocking revelation has recently surfaced regarding the vulnerability of court records systems across the United States. Security researcher Jason Parker recently exposed simple yet profound security flaws in several court records systems, allowing unrestricted access to sealed, confidential, and sensitive legal filings.
At the core of any judiciary lies its court records system, a technological infrastructure designed to submit, store, and manage legal filings for criminal trials and civil cases. While these systems often provide online access to public documents, they are expected to secure sensitive information from public exposure that could compromise ongoing cases. However, Parker’s research has unearthed troubling security lapses that expose confidential records to anyone with internet access.
Parker initiated the investigation after being tipped off about vulnerabilities in U.S. court records systems. The findings revealed security flaws in at least eight court records systems spanning across Florida, Georgia, Mississippi, Ohio, and Tennessee. Shockingly, these flaws were not complex, with some exploitable using basic web browser developer tools.
The so-called “client-side” bugs discovered by Parker allowed unauthorized access to sensitive documents stored within court records systems. These vulnerabilities ranged from easily exploitable issues, such as incrementing a document number in a browser’s address bar, to more sophisticated methods like automatic passwordless access by adding a six-letter code to any username.
Upon discovering these vulnerabilities, Parker responsibly disclosed the details to the affected vendors and judiciaries. However, the responses varied. While three technology vendors reportedly fixed the bugs, only two confirmed the effectiveness of the fixes. Some entities, like Catalis and Tyler Technologies, acknowledged the vulnerabilities but assured that there was no evidence of improper access.
Parker’s research, though extensive, may only scratch the surface of the pervasive issue of insecure court records systems. The simplicity of some vulnerabilities suggests that others may have knowledge of their exploitability. Moreover, Parker noted that at least two other court record systems still have similar unpatched vulnerabilities.
Photo: Unsplash
