Flaws in public records management tool could let hackers nab sensitive data linked to requests

lucadp/Getty Images

The GovQA platform, created by IT company Granicus, contained vulnerabilities that could have let cybercriminals retrieve tranches of sensitive files tied to public records requests, a security researcher revealed to Nextgov/FCW.

A popular tool used by numerous state and local governments to manage public records requests contained defects that could have allowed hackers to download troves of unsecured files tethered to records inquiries, including highly sensitive personal information like IDs, fingerprints, child welfare documentation and medical reports, Nextgov/FCW has learned.

The flaws, which have been remedied, could have also enabled hackers to trick the system into letting individuals edit or change the metadata of records requests without administrators knowing.

The platform, called GovQA, is a public records querying system designed by IT services provider Granicus, and is used by hundreds of government management centers across the U.S. to help offices sort records delivered to requesters through official public access channels.

The vulnerabilities were discovered by independent cybersecurity researcher Jason Parker, who relayed the findings to Nextgov/FCW. Parker, who frequently documents their work to bring awareness to the security community, has previously disclosed flaws in multiple states’ court records systems that allowed hackers to pilfer sealed files officially barred from standard users.

Granicus deployed a patch on Monday and is spinning up an additional fix for release this month, company CISO Lenny Maly said in an emailed statement.

“Granicus has confirmed that the disclosed vulnerabilities do not constitute a breach of Granicus systems themselves, i.e., no intrusion to GovQA, Granicus, or any other part of applications or infrastructure occurred,” Maly said.

Parker reported their findings to Granicus and to the Cybersecurity and Infrastructure Security Agency.

“When CISA becomes aware of technology product vulnerabilities, we work with the researcher and vendors involved to understand the vulnerability and mitigation measures and then ensure disclosure of the vulnerabilities in a timely and responsible manner,” a CISA spokesperson said when asked about the findings.

When individuals make record requests to their local or state government, they are sometimes required to submit personal information — such as a driver's license — to verify their residence in the borough, district, municipality or other administrative division from which they are requesting the data. That inquiry is cataloged in the GovQA system and, once processed, the requested files dispatched to the individual are stored alongside their verification papers.

Granicus told Nextgov/FCW that vulnerabilities brought forward by Parker were centered on access to data within anonymous Freedom of Information Act requests. Parker argues that, regardless of whether a records request is anonymized, the vulnerabilities could still have allowed bad actors to obtain personally identifying verification information submitted by a requester that would reveal their identity.

That means a hacker, if successful, could have used the flaws to access sensitive information compiled in a records domain that are tied both to a requestor and the subject of their request, according to Parker. In cases where a request is denied, those verification documents were still logged and potentially exposed.

Hundreds of public sector digital records systems across at least 37 states and the District of Columbia, including courts and schools, use the GovQA offering.

Granicus said that a person who wants to anonymously request documents, as is required in some states, does not create an account in the GovQA system, and that requestor is given an ID and URL to periodically check on their request status.

The company “has already implemented a new process for anonymous requests that requires the requestor to create a username and password while preserving their anonymity. This is already in the process of being rolled out to customers that want to be adopters of this, and we will seek to accelerate this move,” Maly said.

The flaws were exploitable through web developer commands used to interface with the GovQA platform on an internet browser. A skilled hacker could have modified the webpage’s code to trick a records system into coughing up more information than what a typical user should be allowed to see.

In a demonstration observed by two other cybersecurity experts, Parker said they were able to examine detailed records request data in a public sector system and change the details of a request, including its description, ownership and processing department. They were also able to download unredacted photographs of peoples’ driver’s licenses.

It’s not just standard personally identifiable information that can be gleaned from these vulnerabilities, according to Parker. 

“I would say the worst stuff will be some of the records involving kids or domestic violence victims,” Parker said.

In one instance, Parker retrieved several case files from a large state’s children and families center that contained submitted requests about child sexual abuse complaints. The files included full names, birthdays, photos of drivers’ licenses and legal briefings, as well as explicit descriptions of abuse accusations that are too gruesome to describe in this report.

The company assessed the vulnerabilities as “low severity” and said it is “working with customers to encourage them to minimize the information they are collecting and disclosing” and has also “initiated a full review of the data elements that our customers have chosen to include” in the records request process.

But the two cybersecurity experts who viewed the findings described the flaws as much greater than a “low severity” classification.

Matt “Jaku” Jakubowski, a security researcher who helps organize the THOTCON hacking conference in Chicago, said the vulnerability is one of the worst he has ever encountered.

“[Fixing the flaws] wouldn’t be a complete rewrite of the software, but you find things like this, it makes me wonder what else is in there,” Jaku said in a phone interview, adding that flaws like Parker’s discovery are sometimes hard to detect because the website works as intended and such errors wouldn’t show up on vulnerability scanners.

“The lack of authorization checks on edits certainly shows an extreme lack of security controls on these sensitive systems,” Jaku said in a follow-up message to Nextgov/FCW. What makes the matter especially troublesome is that, to edit or manipulate the content of records, a hacker does not need a login for the records system they are trying to breach, he added.

Granicus said that a “high severity” vulnerability would entail scenarios like an actual breach of GovQA infrastructure, bypassing authentication, misconfiguring systems that expose data not meant for the public or obtaining unredacted private documents or records. 

Parker contested the company’s assessment, arguing many of those actions designated as high-severity were successfully executed. 

“I strongly oppose [Granicus’] classification of the severity as low, and I would condemn the mere implication that a leak of explicit sexual abuse records of children would be considered low severity,” Parker told Nextgov/FCW.

Hackers who are able to obtain sensitive materials like those logged in GovQA-backed systems can easily commit identity theft or sell that personal data to others that will do the same, said Riana Pfefferkorn, a research scholar at the Stanford Internet Observatory focusing on cybersecurity and privacy law.

“The individuals involved reasonably should expect that this information will be safeguarded by the state with the utmost care. If victims think the state will leak information about their domestic violence incidents to outsiders, they may become reluctant to report the abuse that happens to them,” she said in an email after viewing Parker’s findings.

State governments and other municipalities are commonly the subject of cyber incidents that have risked leaving private information out in the open. A Kansas court system, for instance, was breached by a cybercriminal gang in November, which held data from its case management system hostage and threatened to post the exfiltrated contents onto dark web forums. 

Maine’s Judicial Branch also shuttered its electronic access systems in December after learning of vulnerabilities in a third-party tool that would allow bad actors to access private information normally unreachable to outside viewers. Georgia’s Fulton County Court — the subject of major headlines as former president Donald Trump and multiple co-defendants are being tried for efforts to subdue the 2020 election results — was disrupted by ransomware hackers last month.

Vulnerabilities like the types discovered by Parker are still widespread, in part because some workplaces lack a responsibility culture around securing code, said Pfefferkorn.

The revelations come a week after President Joe Biden signed an executive order aimed at preventing Americans’ sensitive data from falling into the hands of foreign adversaries. Several data types targeted in the executive order were obtainable through the exploit, given its extensive use across a variety of records systems.