Court Record Systems in Five Counties Potentially Expose Sensitive Legal Filings

Several security flaws were recently identified in five in-house platforms used by individual courts in Brevard, Hillsborough, Lee, Monroe and Sarasota counties, possibly exposing restricted documents and sensitive legal filings online.

According to a story published by TechCrunch, security researcher Jason Parker found the flaws in each county’s court record systems after being anonymously tipped off that two other U.S. court records systems had vulnerabilities exposing sensitive legal information online.

“The bugs vary by complexity, but could all be exploited by anyone using only the developer tools built in to any web browser,” Parker told TechCrunch.

If used correctly, these tools could provide access to witness lists, testimonies, mental health evaluations, corporate trade secrets and abuse allegations, according to the story.

For example, in Brevard County, docket entries and other sensitive legal information typically protected by encrypted document IDs associated with specific document URLs can be altered by query parameters such as “theIV=” and “theKey=.”

Using these parameters, users could encrypt a document ID and use that as a workaround to view restricted documents.

Meanwhile, in Hillsborough County, session cookies, which are used to determine which cases and documents a user is viewing, are a possible cause for concern.

“When a case or document is requested, a request is sent to the API (application programming interface), which associates the data with the user’s session cookie and returns the results,” according to a GitHub thread. “The API endpoint for obtaining document information returns a list that includes the document ID, several values that specify the security level required to view the document and the user’s applied access level.”

Once a hacker has this information, they can view restricted information by changing the security level to a more permissive value.

Lee County, on the other hand, faces a different issue.

“For most types of cases, document IDs are available in the pre-rendered HTML,” the GitHub thread states. In Lee County’s court record system, “restricted documents could be viewed by executing the pushDataAndShow() function from the site’s JavaScript source code.”

In Monroe County, a debugger statement, which identifies coding errors, created a window for hackers.

While trying to fix another issue within the county’s court records system, developers left a debugger statement, which paused code execution, allowing hackers to adjust security levels and exploit sensitive information. According to the GitHub thread, the debugger statement has since been removed.

Lastly, in Sarasota County, document URLs and CAPTCHAs created several vulnerabilities within its ClerkNet system, which oversees all electronic court records.

According to the GitHub thread, “document URLs contained nothing more than a numeric document ID. An attacker could view restricted documents by simply incrementing the document ID in the URL. The only protection was a CAPTCHA on the landing page, which could be bypassed.”

The county aimed to fix this issue; however, developers found two more vulnerabilities, allowing unauthenticated attackers to view restricted cases.

The county issued a response about the vulnerabilities, stating, “Our technical team made a fix to the code to the ClerkNet application to resolve the issue and published the change on October 11, 2023. Our project management team also conducted a comprehensive review of all access logs to ensure that no sealed or confidential information was released. Our access logs revealed no occurrences where sealed or confidential information was accessed. In addition, the logs indicated 10 instances where public information was accessed.”