Cutting corners: The presidential election is approaching and if there is anything that unites the US populace it is the desire that voting systems are safe and secure. Unfortunately, they are anything but, according to a security researcher who has uncovered several vulnerabilities in these and other systems used by courts and government agencies. Fixing the problem will require nothing less than a complete overhaul of how these systems handle security.
Jason Parker, an erstwhile software developer turned security researcher, has for the past year been hunting down and reporting critical vulnerabilities in the commercial platforms used by courts, government agencies and police departments across the US.
His efforts have turned up alarming results, finding that 19 of these systems are riddled with vulnerabilities allowing hackers to access confidential information, manipulate legal documents, and compromise personal data.
They also open the door for attackers to falsify registration databases, a scenario that clearly bothers Parker. “These vulnerabilities in a voter registration portal, much like those found in court systems, underscores how inadequate security measures can put citizens’ rights and personal information at risk,” he said.
The vulnerabilities share two key problems in common. First, the systems’ permission controls are not strong enough. Second, user inputs are not properly checked. Many websites use easy-to-guess user ID numbers, and some let users change important data fields. This can grant users access beyond what they are authorized to have. As a result, attackers can gain high-level access to the system without proper authorization.
For example, in Georgia, a flaw in the voter registration cancellation portal could allow attackers to submit cancellation requests using only basic personal information like name and birthdate.
In the Granicus GovQA platform used by government agencies, attackers could easily reset passwords and gain access to usernames and emails by manipulating web addresses. This level of control could allow malicious actors to hijack accounts or change ownership of sensitive public records.
Similarly, a vulnerability in Thomson Reuters’ C-Track eFiling system could allow attackers to elevate their user status to court administrator by manipulating fields during registration. This could potentially grant access to view or tamper with sensitive court data.
Court record platforms in several Florida counties, including Sarasota and Hillsborough, had weak access controls that allowed unauthorized access to restricted documents. Among the compromised records were sealed documents, mental health evaluations, and witness lists – private information that should have been securely protected, Parker said.
In Arizona’s Maricopa County, the Superior Court eFiling system allowed exploitation of API endpoints to retrieve restricted legal documents. The Catalis EZ-Filing platforms used in multiple states exposed personal information and even sealed court documents in some cases.
In short, “the vulnerabilities discovered in these platforms reveal systemic security failures that span regions and vendors,” Parker said. “These platforms are supposed to ensure transparency and fairness, but are failing at the most fundamental level of cybersecurity.”
Parker has no illusions that these issues will be an easy fix. The solution is nothing short of a complete overhaul of how security is handled in court and public record systems, he said. Robust permission controls must be immediately implemented, and stricter validation of user inputs enforced. Also, regular security audits and penetration testing should be standard practice, not an afterthought, he advised.
Other remedies he presents are familiar terrain to any security expert but many local governments seem unaware of these basic solutions.
The widespread adoption of multi-factor authentication would prevent attackers from easily taking control of accounts. Ongoing training for IT personnel on the latest security practices is crucial, along with educating users about phishing risks and other common attack vectors.
Unless organizations act quickly, “the consequences could be devastating – not just for the institutions themselves but for the individuals whose privacy they are sworn to protect,” he concluded.
Unfortunately, the responses when Parker contacted the various governments about their vulnerabilities were mixed. In many cases the systems were quickly remedied while others dragged their feet. And in one instance in Florida’s Lee County, Parker was threatened with legal action.