A software developer has spent a year investigating commercial platforms used by hundreds of courts, government agencies, and police departments across the country; and his findings are chilling.
The analysis revealed that 19 of these platforms are vulnerable and could result in some serious consequences, from voting fraud to exposure of sensitive medical information.
With AI enabling more sophisticated and relentless attacks from cybercriminals, this investigation is a wake-up call.
Basic Failings with Dire Consequences
Software developer turned security researcher Jason Parker has meticulously documented his year-long investigation, which he took on as a volunteer.
What he found were vulnerabilities that would allow an attacker to add, delete, or change official documents and have access to the most personal of information.
This just in! View
the top business tech deals for 2024 👨💻
Critical flaws included one in the voter registration cancellation portal for the state of Georgia. This vulnerability allowed anyone who visited the portal to cancel another person’s registration if they simply knew their name, birthdate, and county of residence. As the election approaches, this is one flaw that Georgian authorities scrambled to fix.
Other flaws were found in the document management systems used in local courthouses across the country. These allowed unauthorized people to see court documents including sealed psychiatric evaluations. Not only this but in one situation, this unauthorized person could then give themselves the privileges necessary to create, delete, or change filings – privileges reserved for clerks of the court.
Parker singled out a platform called Granicus GovQA, which is used by government agencies for managing public records. He found that attackers can reset passwords “without verifying a user’s identity” and “could gain access to usernames and emails by simply manipulating web addresses.”
Making It Too Tasy
Parker has made his findings public in a Medium post and says, alarmingly:
“Vulnerable systems seem to be the norm more than the exception.”
To give a sense of scope, the investigation looked at both in-house Government platforms such as those used by a staggering five of Florida’s counties and platforms created by contracted companies.
Parker also states that the vulnerabilities these systems harbor “could be exploited with ease — even by attackers with minimal technical expertise, thus underscoring the fragility of systems meant to safeguard our most sensitive public records.” He pointed specifically to weak permission controls and poor validation of user inputs.
Call for System Overhaul
Parker teamed up with the Electronic Frontier Foundation to notify all of the system vendors and responsible parties of his findings. He also reports that all of the vulnerabilities have been fixed.
However, he says this is simply not enough.
“Fixing these issues requires more than just patching a few bugs. It calls for a complete overhaul of how security is handled in court and public record systems.”
Parker signs off with a stark warning: “This series of disclosures is a wake-up call to all organizations that manage sensitive public data. If they fail to act quickly, the consequences could be devastating — not just for the institutions themselves but for the individuals whose privacy they are sworn to protect.”