Govt, Judicial IT Systems Beset by Access Control Bugs

  /     /     /  
Publicated : 23/11/2024   Category : security


Govt, Judicial IT Systems Beset by Access Control Bugs


Poor permission controls and user input validation is endemic to the platforms that protect Americans legal, medical, and voter data.



A veritable laundry list of high- and critical-severity bugs have been uncovered in software platforms used by government agencies across the US.
Govtech systems are some of the most critical out there, responsible for storing the most sensitive personally identifying information (PII) US citizens own: Social Security numbers (SSNs) and IDs; legal and medical records; voter registrations; and much more. It will surprise few and comfort no one that these systems also happen to be riddled with vulnerabilities. 
Security researcher Jason Parker uncovered
issues in 19 such platforms
this year, disclosing more than a handful of them late last week. There was the bug in the state of Georgias portal for canceling voter registrations, the access control issue that exposed court documents in counties across Florida, and the many critical vulnerabilities bogging down a public records request management platform used by hundreds of city, county, and state governments nationwide.
Some might be old enough to remember when government bugs were cool and inventive. The Thing, for example — a listening device embedded into a wooden seal, which hung in the residence of the US ambassador to Moscow for seven years before it was discovered.
Todays government bugs are rather banal — access control flaws or improper validations of user input. The kinds of things hackers can use them for, however, are not at all dull.
At the end of July, for example, Georgia launched a voter cancellation request portal. Within days, researchers discovered multiple issues with the site. Parker, for example, found that anyone could submit a cancellation request using only the information easily gleaned from public sources — names, dates of birth, counties of residence — while skipping any requirement for more serious PII, like a drivers license or SSN. The issue earned a high Common Vulnerability Scoring System (CVSS) score of 8.6 out of 10, and was fixed shortly after initial disclosure.
It turned out that members of the public had attempted to take real advantage of these issues in the meantime, though, most notably by
unsuccessfully deregistering
Rep. Marjorie Taylor Greene, and Georgias Secretary of State Brad Raffensperger, two prominent Republicans in the state.
This kind of basic lack of authentication was emblematic of the security flaws Parker has stumbled upon.
Besides the Georgia bug, for example, were the trio of bugs in Granicus GovQA. GovQA is a public records management system that is used by more than one-third of the largest US cities, more than 80 state agencies, and nearly half of the top US counties, according to GovQAs website.
Another series of bugs in Granicus electronic filing system allowed for the leakage of sensitive information, the ability to block user logins or modify accounts without authorization, and privilege escalation. The critical, 9.8 CVSS-rated bugs were reportedly patched back in April.
A similar platform, Thomson Reuters C-Track eFiling, allowed attackers to escalate from regular user accounts to those saved for court administrators by manipulating certain fields in the registration process. A patch for the critical 9.1-rated bug was confirmed last week.
More issues of similar severity were uncovered in court record systems used in counties in Florida, Arizona, Georgia, South Carolina, and others.
Government technologies tend to be flawed for all the reasons one might guess.
A lot of their systems that Ive seen are quite literally 20 years old, Parker explains. Theyre just adding whatever on top of these legacy platforms for years and years.
Besides standard bureaucracy, outdated and unloved tech is kept alive thanks to
a lack of sufficient funding
for new systems, services, and security solutions to protect them. And vendors arent always held to account for the ways in which they fall short on their ends of the bargain.
If anythings going to change, Parker says, it will start with
the Federal Risk and Authorization Management Program
(FedRAMP) — a governmentwide program for cloud security assessment, authorization, and continuous monitoring — and StateRAMP — a nonprofit offering a similar program for state and local governments. These are minimum requirements for cybersecurity, Parker says, and theyre being adopted by more and more states, and counties, too.

Last News

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Govt, Judicial IT Systems Beset by Access Control Bugs