Khaberni - A security researcher revealed the presence of a simple but highly dangerous vulnerability in a number of government websites used to manage data of jury candidates in the United States and Canada, exposing sensitive personal information of thousands.
The researcher, who preferred to remain anonymous, explained that at least 12 sites developed by Tyler Technologies were vulnerable, as they all operate on the same platform sharing the same flaw.
The affected sites include large states such as California, Illinois, Michigan, Nevada, Ohio, Pennsylvania, Texas, and Virginia, according to a report published by "TechCrunch"
Unprotected serial numbers
According to the researcher, the flaw allowed anyone to access juror data using the identity number obtained by a candidate when called for service.
The problem is that these numbers are sequential and can be easily guessed through a "brute force" attack, in the absence of a "limit on number of attempts" feature.
An inspection of a site in Texas showed the possibility of accessing highly sensitive information, including:
- Full name.
- Date of birth.
- Occupation.
- Email address.
- Phone number.
- Residential and mailing address.
The vulnerability also exposed data from questionnaires filled out by applicants, including gender, race, educational level, marital status, number of children, citizenship status, age, and criminal records.
Potential violation of health data also
In some cases, access to personal health information was possible, such as medical reasons some citizens provide to request exemption from jury service.
Tyler was notified of the vulnerability on November 5, but did not confirm its existence until November 25.
The company spokesperson, Karen Shields, said the security teams confirmed the presence of a vulnerability that could allow access to some jurors' data through a number guessing attack. She added that the company has developed a solution and is now coordinating with its clients to implement it.
The spokesperson declined to respond to questions about whether the company could determine any malicious access incidents or whether it will notify those affected by the leak.
History of vulnerabilities
This is not the first time the company's systems have faced serious allegations related to data protection.
In 2023, another flaw in "Tyler" systems revealed confidential judicial data, including affidavits and witnesses, mental health files, and sensitive documents for a number of cases in Georgia.
Other reports revealed that government providers like "Catalis" and "Henschen & Associates" suffered a similar flaw that led to the exposure of judicial records in other states.
These recurrent incidents raise significant questions about the readiness of court management systems to protect sensitive personal data in an era where cyberattacks are becoming more complex and widespread.
