Lists of witnesses and testimonials, mental health evaluations, detailed abuse complaints and company trade secrets. These are some of the sensitive court records that security researcher Jason Parker said he found exposed on the open Internet for anyone, and anyone but the judiciary themselves, to access.
At the heart of any court system is the court records system, the technology stack for submitting and storing legal filings for criminal trials and civil legal cases. Court records systems are often partially online, allowing anyone to search for and obtain public documents while limiting access to sensitive legal records where public exposure could jeopardize a case.
But Parker said some court records systems used across the U.S. have simple security flaws that expose sealed, confidential and sensitive but unredacted legal filings to anyone on the Web.
Parker told TechCrunch that they were contacted in September by someone who read their previous report documentation of a vulnerability in Bluesky, the new social network that emerged after the sale of Twitter to Elon Musk. The advocate told Parker that two US court records systems had vulnerabilities that exposed sensitive legal records to anyone on the Web. The tipster reported the errors to the affected courts, but said they heard nothing, Parker told TechCrunch on a call earlier this month.
Armed with the tipster’s findings, Parker went down a rabbit hole researching several affected court records systems. Parker then disclosed security flaws in at least eight court records systems used in Florida, Georgia, Mississippi, Ohio and Tennessee.
“The first document I saw was a judge’s order in a domestic violence case. The order was to grant name changes to the kids to basically protect them from the wife,” Parker told TechCrunch, talking about the reproduction of the first vulnerability. “Immediately my jaw went to the center of the earth and stayed that way for weeks.”
“The next document I found at the other court was a full mental health assessment. It was thirty pages into a criminal case and as detailed as you’d expect. it was from a doctor,” they added.
The bugs vary in complexity, but all could be exploited by anyone using just the developer tools built into any web browser, Parker said.
These types of so-called “client-side” bugs are exploitable with a browser because an affected system did not perform the proper security checks to determine who is allowed to access sensitive documents stored on them.
One of the bugs was as easy to exploit as incrementing a document number in the browser address bar of a Florida court records system, Parker said. Another bug allowed anyone to “automatically access without a password” a court records system by adding a six-letter code to any username, which Parker said they found as a clickable link in a Google search result.
With help from CERT/CC Vulnerability Disclosure Center and CISA Coordinated Vulnerability Disclosure Teamwho helped coordinate the disclosure of these flaws, Parker shared details nine total vulnerabilities with the affected sellers and the legal authorities in an effort to fix them.
What came back was a mixed bag of results.
Three technology vendors fixed the bugs in their respective court records systems, Parker said, but only two companies confirmed to TechCrunch that the fixes had taken effect.
Catalis, a government software technology company that makes CMS360, a court records system used by judicial authorities across Georgia, Mississippi, Ohio and Tennessee, has identified a vulnerability in a “separate secondary application” used by some court systems that allow the public, lawyers or judges to search CMS360 data.
“We have no files or logs indicating that confidential data was accessed through this vulnerability, and we have not received any such reports or evidence,” Eric Johnson, a Catalis executive, said in an email to TechCrunch. Catalis won’t say specifically whether it keeps the specific logs it would need to block improper access to sensitive court documents.
Software company Tyler Technologies said it has patched vulnerabilities in the Case Management Plus module of a court records system used exclusively in Georgia, the company told TechCrunch.
“We have been in contact with the security researcher and have confirmed the vulnerabilities,” Tyler spokeswoman Karen Shields said. “At this time, we have no evidence of discovery or exploitation by a bad actor.” The company did not say how it reached that conclusion.
Parker said Henschen & Associates, a local Ohio software developer that provides a statewide court records system called CaseLook, patched the vulnerability but did not respond to emails. Henschen president Bud Henschen also did not respond to emails from TechCrunch, nor did he confirm that the company had fixed the bug.
In their disclosure was published on Thursday, Parker also said they notified five counties in Florida through the state court administrator’s office. Florida’s five courts are believed to have developed their own court records systems in-house.
Only one county is known to have patched the vulnerability found in its system and prevented improper access to sensitive court records.
A photo of the Sarasota County Courthouse in Florida, one of the courthouses with an affected court records system. Image Credits: Independent Picture Service / Universal Images Group via Getty.
Sarasota County said it has patched a vulnerability in its court records system it calls ClerkNet that allowed access to documents by incrementing document sequence numbers. In a letter provided to TechCrunch When reached for comment, Sarasota County Clerk of District Court Karen Rushing said a review of access logs “did not reveal any incidents where sealed or confidential information was accessed.” The county disputed the existence of a second defect cited by Parker.
Given the simplicity of some of the vulnerabilities, it’s unlikely that Parker or the original tipster were the only people with knowledge of their exploitability.
The four remaining Florida counties have yet to acknowledge the flaws, report whether they have implemented fixes or confirm whether they have the ability to determine whether sensitive records were ever accessed.
Hillsborough County, which includes Tampa, would not say whether its systems were fixed after Parker’s disclosure. In a statement, Hillsborough County Clerk’s spokeswoman Carson Chambers said, “The confidentiality of public records is a top priority of the Hillsborough County Clerk’s office. There are many security measures in place to ensure that confidential court records can only be viewed by authorized users. We consistently apply the latest security enhancements to Clerk systems to prevent this.”
Lee County, which covers Fort Myers and Cape Coral, also would not say whether it had patched the vulnerability, but said it reserved the right to take legal action against the security researcher.
When reached for comment, Lee County Representative Joseph Abreu provided an identical statement to Hillsborough County, with the addition of a thinly veiled legal threat. “We interpret any unauthorized access, intentional or unintentional, as a possible violation of Chapter 815 of the Florida Statutes and may also result in civil litigation by our office.”
Representatives for Monroe County and Brevard County, in which Parker also filed vulnerability disclosures, did not respond to requests for comment.
For Parker, their research amounts to hundreds of unpaid hours, but represents only the tip of the iceberg of affected court records systems, noting that at least two other court records systems have similar unpatched vulnerabilities today.
Parker said they hope their findings will help make changes and spur improvements in the security of government technology applications. “Government technology is broken,” they said.
Read more at TechCrunch:
Zack Whittaker can be reached on Signal and WhatsApp at +1 646-755-8849 or via email. You can also contact TechCrunch via SecureDrop.
