Several public websites designed to allow courts in the United States and Canada to manage the personal information of potential jurors had a simple security flaw that easily exposed their sensitive data, including names and home addresses, according to TechCrunch exclusively.
A security researcher, who asked not to be named for this story, contacted TechCrunch with details about the easy-to-exploit vulnerability and identified at least a dozen jury sites built by government software maker Tyler Technologies that appear to be vulnerable given that they run on the same platform.
Locations are located across the country, including California, Illinois, Michigan, Nevada, Ohio, Pennsylvania, Texas and Virginia.
Tyler told TechCrunch that he is fixing the flaw after we notified the company about the information leaks.
The bug meant it was possible for anyone to obtain information about jurors being selected for service. To log into these platforms, jurors are provided with a unique numerical identifier assigned to them, which could be brute force as the number was sequentially incremented. The platform also had no mechanism to prevent anyone from flooding the login pages with large numbers of guesses, a feature known as “rate throttling”.
In early November, the security researcher told TechCrunch that they identified at least one jury management portal for a county in Texas as vulnerable. Inside that portal, TechCrunch saw their full names, dates of birth, occupation, email addresses, mobile phone numbers, and home and mailing addresses.
Other exposed data included information shared on questionnaires that potential jurors must fill out to see if they are fit to serve on a jury.
In the portal seen by TechCrunch, the questions asked about gender, nationality, education level, employer, marital status, children, whether the person was a citizen, whether they were over 18, and whether they have been convicted of or are facing theft or felony charges.
The vulnerability could have exposed personal health data within a juror’s profile in some cases. For example, if a juror had asked to be excused from service on health grounds, they may have disclosed what medical reason they believe disqualifies them. TechCrunch also saw an example of this.
Contact us
Do you have more information about vulnerabilities in Tyler Technologies products? Or other cybernetic technology? From a non-working device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382 or via Telegram and Keybase @lorenzofb or via email.
TechCrunch alerted Tyler to the issue on November 5. Tyler acknowledged the vulnerability on November 25th.
In a statement, Tyler spokeswoman Karen Shields said the company’s security team confirmed that “there is a vulnerability where some juror information may have been accessed through a brute force attack.”
“We have deployed a remediation to prevent unauthorized access and are communicating with our customers about next steps,” the statement said.
The spokesman did not respond to a series of follow-up questions, including whether Tyler has the technical means to determine whether jurors’ personal information was maliciously accessed and whether it plans to notify individuals whose data was exposed.
This isn’t the first time Tyler has left sensitive personal data exposed online. In 2023, a security researcher found that, due to a separate security flaw, some online US court records systems exposed sealed, confidential, and sensitive data, such as witness lists and testimony, mental health evaluations, detailed allegations of abuse, and corporate trade secrets.
In that case, Tyler patched vulnerabilities in the Case Management System Plus product, which was used throughout the state of Georgia.
Two other state technology providers were exposing data in that case: Catalis, through its CMS360 product, a system used in several US states; and Henschen & Associates, through the CaseLook court system, used in Ohio.
