"The bug meant it was possible for anyone to obtain the information about jurors who are selected for service. To log into these platforms, a juror is provided a unique numerical identifier assigned to them, which could be brute-forced since the number was sequentially incremental. The platform also did not have any mechanism to prevent anyone from flooding the login pages with a large number of guesses, a feature known as "rate-limiting.""
"A security researcher, who asked not to be named for this story, contacted TechCrunch with details of the easy-to-exploit vulnerability, and identified at least a dozen juror websites made by government software maker Tyler Technologies that appear to be vulnerable, given that they run on the same platform. The sites are all over the country, including California, Illinois, Michigan, Nevada, Ohio, Pennsylvania, Texas, and Virginia. Tyler told TechCrunch that it is fixing the flaw after we alerted the company to the information exposures."
"In early November, the security researcher told TechCrunch that they identified at least one jury management portal for a county in Texas as vulnerable. Inside that portal, TechCrunch saw full names, date of birth, occupation, email addresses, cell phone numbers, and home and mailing addresses. Other exposed data included information shared in the questionnaires that potential jurors are required to fill out to see if they are qualified to serve on a jury."
A simple authentication flaw in multiple jury-management portals created by Tyler Technologies allowed easy unauthorized access to juror personal information. Sequential numeric login identifiers enabled brute-force enumeration because identifiers incremented predictably and the platforms lacked rate-limiting to block repeated guesses. A security researcher identified at least a dozen vulnerable sites across California, Illinois, Michigan, Nevada, Ohio, Pennsylvania, Texas and Virginia. Exposed information included full names, dates of birth, occupations, email and cell phone numbers, home and mailing addresses, and questionnaire responses covering gender, ethnicity, education, employment, marital status, children, citizenship, age and criminal history. Tyler is fixing the flaw.
Read at TechCrunch
Unable to calculate read time
Collection
[
|
...
]