Hackers Exploit Easy Flaws in Government and Court Platforms

Recently, new vulnerabilities have been discovered in platforms used by government agencies and courts to manage confidential records and documents. These issues provide malicious actors with access to sensitive information, allow alterations to legal documents, and compromise personal data.

Such platforms play a pivotal role in judicial processes and the operations of government agencies, handling cases and public records. The identified flaws can be easily exploited, even with minimal technical skills, highlighting the fragility of systems designed to safeguard highly sensitive data.

This problem is pertinent to numerous institutions responsible for delivering public services. For example, in the state of Georgia, a vulnerability in the voter deregistration portal allowed hackers to cancel voter registrations by simply knowing the individual’s name and date of birth.

The root cause of the issue lies in weak access controls and insufficient verification of user data. Many platforms employ predictable identifiers or permit data alterations, granting cybercriminals access to confidential information.

Another example is the Granicus GovQA platform, used for managing government records. Here, attackers could reset passwords without identity verification and gain access to names and email addresses by merely modifying web addresses. This vulnerability allowed the hijacking of accounts, altering document ownership, and blocking legitimate users.

Thomson Reuters’ C-Track eFiling system allowed hackers to elevate their privileges to administrative status by altering certain registration data. This flaw granted access to confidential information and the ability to modify legal documents.

In several counties in Florida, inadequate access protection measures enabled attackers to guess document identifiers or alter session cookies, granting access to restricted court records, including sealed documents, psychological evaluations, and witness lists—data that should be securely protected.

In another instance, the eFiling system of the Maricopa County court (Arizona) allowed the exploitation of API vulnerabilities, giving access to restricted court documents by guessing user identifiers. Systems like Catalis EZ-Filing in Georgia and South Carolina allowed the extraction of personal information and access to confidential records.

On the Granicus eFiling platform, attackers could register as administrators and alter the ownership of legal documents, gaining full control over court cases.

These shortcomings undermine trust in institutions responsible for managing the most sensitive data. Experts emphasize that solving the problem requires more than patching; it necessitates a fundamental rethinking of security measures. Strong access control, robust user data verification, regular security audits, and penetration testing are crucial. Adherence to the Secure by Design principle should be mandatory at every stage of software development.

It is also essential to implement multi-factor authentication to complicate account takeover attempts, while IT teams should receive regular training in modern security practices. Users must also be made aware of the risks associated with attacks.