Security researcher Jason Parker discovered several court records systems across the U.S. with simple security flaws that exposed sealed, confidential, and sensitive but unredacted legal filings to anyone on the web. These filings include mental health evaluations, detailed allegations of abuse, corporate trade secrets, and testimony. Parker was tipped off to the vulnerabilities by someone who had read their previous report on a vulnerability in Bluesky, the social network that emerged after Twitter’s sale to Elon Musk. The tipster reported the bugs to the affected courts, but received no response.
Parker uncovered vulnerabilities in at least eight court records systems used across Florida, Georgia, Mississippi, Ohio, and Tennessee, with bugs that varied in complexity. Some were as easy to exploit as incrementing a document number in the browser’s address bar, while others allowed “automatic passwordless” access to court records systems. Despite efforts to disclose these flaws to the affected vendors and judiciaries, the response has been mixed. Three technology vendors claimed to have fixed the bugs, but only two firms confirmed that the fixes took effect.
The disclosure has revealed that government tech applications still have major security vulnerabilities, with some court systems remaining unpatched. Parker’s findings highlight the need for improvements to the security of government tech applications. However, the unpaid hours invested in this research represent only the tip of the iceberg of affected court records systems, with at least two other court record systems having similar unpatched vulnerabilities today.