Security expert discovers widespread vulnerabilities in US voting and government systems

Take shortcuts: The presidential election is approaching, and if there’s anything that unites the American public, it’s the desire for voting systems to be safe and secure. Unfortunately, that’s not the case, according to a security researcher who discovered several vulnerabilities in these and other systems used by courts and government agencies. Fixing the problem will require nothing less than a complete overhaul of how these systems handle security.

Jason Parker, a former software developer turned security researcher, has been tracking and reporting critical vulnerabilities in commercial platforms used by courts, government agencies and police departments across the United States for the past year.

Its efforts have yielded alarming results, revealing that 19 of these systems are riddled with vulnerabilities allowing hackers to access confidential information, manipulate legal documents and compromise personal data.

They also open the door for attackers to tamper with registration databases, a scenario that clearly bothers Parker. “These vulnerabilities in a voter registration portal, much like those found in court systems, highlight how inadequate security measures can put citizens’ rights and personal information at risk,” he said .

The vulnerabilities share two key issues in common. First, the systems’ authorization controls are not strong enough. Second, user inputs are not properly verified. Many websites use easy-to-guess user ID numbers, and some allow users to edit important data fields. This may grant users access beyond what they are authorized for. As a result, attackers can gain high-level access to the system without proper authorization.

For example, in Georgia, a flaw in the voter registration cancellation portal could allow attackers to submit cancellation requests using only basic personal information such as name and date of birth.

On the Granicus GovQA platform used by government agencies, attackers could easily reset passwords and access usernames and emails by manipulating web addresses. This level of control could allow malicious actors to hijack accounts or change ownership of sensitive public records.

Similarly, a vulnerability in Thomson Reuters’ C-Track e-filing system could allow attackers to elevate their user status to court administrator by manipulating fields during registration. This could potentially grant access to view or falsify sensitive forensic data.

Court records platforms in several Florida counties, including Sarasota and Hillsborough, had weak access controls that allowed unauthorized access to restricted documents. Among the compromised records were sealed documents, mental health evaluations and witness lists — private information that should have been securely protected, Parker said.

In Maricopa County, Arizona, the Superior Court’s e-filing system enabled the exploitation of API endpoints to retrieve restricted legal documents. Catalis EZ-Filing platforms used in several states have exposed personal information and even sealed court documents in some cases.

In short, “the vulnerabilities discovered in these platforms reveal systemic security flaws that affect regions and vendors,” Parker said. “These platforms are supposed to provide transparency and fairness, but fail at the most fundamental level of cybersecurity.”

Parker is under no illusion that these problems will be easy to resolve. The solution is nothing less than a complete overhaul of how security is handled in the court and public records systems, he said. Robust authorization controls should be immediately implemented and stricter validation of user inputs should be enforced. Additionally, regular security audits and penetration testing should be standard practice and not an afterthought, he advised.

Other solutions he presents are known to any security expert, but many local authorities seem to ignore these basic solutions.

Widespread adoption of multi-factor authentication would prevent attackers from easily taking control of accounts. Continuous training of IT staff on the latest security practices is crucial, as well as educating users on the risks of phishing and other common attack vectors.

If organizations do not act quickly, “the consequences could be devastating – not only for the institutions themselves but also for the individuals whose privacy they are sworn to protect,” he concluded.

Unfortunately, the responses when Parker contacted different governments about their vulnerabilities were mixed. In many cases, systems were quickly patched while others dragged their feet. And in one case in Lee County, Florida, Parker was threatened with legal action.