Gov't, Judicial IT Systems Beset by Access Control Bugs

A veritable laundry list of high- and critical-severity bugs have been uncovered in software platforms used by government agencies across the US.

Govtech systems are some of the most critical out there, responsible for storing the most sensitive personally identifying information (PII) US citizens own: Social Security numbers (SSNs) and IDs; legal and medical records; voter registrations; and much more. It will surprise few and comfort no one that these systems also happen to be riddled with vulnerabilities. 

Security researcher Jason Parker uncovered issues in 19 such platforms this year, disclosing more than a handful of them late last week. There was the bug in the state of Georgia's portal for canceling voter registrations, the access control issue that exposed court documents in counties across Florida, and the many critical vulnerabilities bogging down a public records request management platform used by hundreds of city, county, and state governments nationwide.

Case Study: A Voter Registration Issue

Some might be old enough to remember when government bugs were cool and inventive. "The Thing," for example — a listening device embedded into a wooden seal, which hung in the residence of the US ambassador to Moscow for seven years before it was discovered.

Today's government bugs are rather banal — access control flaws or improper validations of user input. The kinds of things hackers can use them for, however, are not at all dull.

At the end of July, for example, Georgia launched a voter cancellation request portal. Within days, researchers discovered multiple issues with the site. Parker, for example, found that anyone could submit a cancellation request using only the information easily gleaned from public sources — names, dates of birth, counties of residence — while skipping any requirement for more serious PII, like a driver's license or SSN. The issue earned a "high" Common Vulnerability Scoring System (CVSS) score of 8.6 out of 10, and was fixed shortly after initial disclosure.

It turned out that members of the public had attempted to take real advantage of these issues in the meantime, though, most notably by unsuccessfully deregistering Rep. Marjorie Taylor Greene, and Georgia's Secretary of State Brad Raffensperger, two prominent Republicans in the state.

A Panoply of GovTech Bugs

This kind of basic lack of authentication was emblematic of the security flaws Parker has stumbled upon.

Besides the Georgia bug, for example, were the trio of bugs in Granicus' GovQA. GovQA is a public records management system that is used by more than one-third of the largest US cities, more than 80 state agencies, and nearly half of the "top" US counties, according to GovQA's website.

Another series of bugs in Granicus' electronic filing system allowed for the leakage of sensitive information, the ability to block user logins or modify accounts without authorization, and privilege escalation. The "critical," 9.8 CVSS-rated bugs were reportedly patched back in April.

A similar platform, Thomson Reuters' C-Track eFiling, allowed attackers to escalate from regular user accounts to those saved for court administrators by manipulating certain fields in the registration process. A patch for the "critical" 9.1-rated bug was confirmed last week.

More issues of similar severity were uncovered in court record systems used in counties in Florida, Arizona, Georgia, South Carolina, and others.

Why GovTech Is So Flawed

Government technologies tend to be flawed for all the reasons one might guess.

"A lot of their systems that I've seen are quite literally 20 years old," Parker explains. "They're just adding whatever on top of these legacy platforms for years and years."

Besides standard bureaucracy, outdated and unloved tech is kept alive thanks to a lack of sufficient funding for new systems, services, and security solutions to protect them. And vendors aren't always held to account for the ways in which they fall short on their ends of the bargain.

If anything's going to change, Parker says, it will start with the Federal Risk and Authorization Management Program (FedRAMP) — a governmentwide program for cloud security assessment, authorization, and continuous monitoring — and StateRAMP — a nonprofit offering a similar program for state and local governments. "These are minimum requirements for cybersecurity," Parker says, "and they're being adopted by more and more states, and counties, too."