Several public websites designed to help courts in the United States and Canada manage potential jurors’ personal information had simple security flaws that could easily leak sensitive data such as names and home addresses, TechCrunch has learned exclusively.
A security researcher, who requested anonymity for this story, contacted TechCrunch for details on the easily exploitable vulnerability and identified at least a dozen jury websites created by government software maker Tyler Technologies, which he said appear to be vulnerable because they run on the same platform.
Our locations are located throughout the country, including California, Illinois, Michigan, Nevada, Ohio, Pennsylvania, Texas, and Virginia.
Tyler told TechCrunch that the company is fixing the flaw after alerting the company to the breach.
The bug could have allowed anyone to obtain information about jurors selected to serve. To log into these platforms, jurors are provided with an assigned unique numerical identifier, but the numbers increase sequentially, making it possible for brute force attacks to occur. The platform also lacked a mechanism to prevent a flood of speculation from flooding the login page, a feature known as “rate limiting.”
In early November, the security researcher told TechCrunch that he had identified vulnerabilities in at least one jury management portal in a Texas county. TechCrunch verified the name, date of birth, occupation, email address, mobile phone number, home address and mailing address within the portal.
Other exposure data included information shared in questionnaires prospective jurors were asked to fill out to determine whether they were eligible to serve on a jury.
The portal viewed by TechCrunch asked questions about the person’s gender, ethnicity, education level, employer, marital status, children, whether the person is a citizen, whether they are over 18 years old, and whether they have been convicted or charged with theft or a felony.
In some cases, this vulnerability could have exposed personal health data in jurors’ profiles. For example, if a juror requests an exemption from military service for medical reasons, the juror may have made clear what medical reasons he or she believes disqualify the juror. TechCrunch also saw an example of this.
inquiry
Do you have more information about vulnerabilities in Tyler Technologies’ products or other government technologies? You can contact Lorenzo Franceschi-Bicchierai securely from your non-work device on Signal (+1 917 257 1382), on Telegram and Keybase @lorenzofb, or by email.
TechCrunch alerted Tyler to this issue on November 5th, and Tyler acknowledged the vulnerability on November 25th.
Tyler spokeswoman Karen Shields said in a statement that the company’s security team has identified “a vulnerability that could have allowed some jury information to be accessed through a brute force attack.”
“We have developed remediation measures to prevent unauthorized access and are discussing next steps with our customers,” it said in a statement.
The spokesperson did not respond to a series of additional questions, including whether Mr. Tyler has the technical means to determine whether there has been malicious access to jurors’ personal information and whether he plans to notify those whose data was compromised.
This is not the first time Mr. Tyler has published sensitive personal data on the Internet. In 2023, a security researcher discovered that another security flaw had caused some online court records systems in the United States to expose sealed and sensitive data, including witness lists and testimony, mental health evaluations, detailed allegations of abuse, and company trade secrets.
In that case, Tyler fixed a vulnerability in the Case Management System Plus product used throughout the state of Georgia.
Two other government technology providers disclosed data in this case. One is Catalis through its CMS360 product, a system used in multiple states in the United States. and Henschen & Associates through the CaseLook court records system used in Ohio.
Source link
