Critical Infrastructure Security, Vulnerability Management

Over two dozen critical bugs found in voter registration, court systems

Share
Closeup of an American "I voted" sticker placed on a navy shirt.

Developer turned security researcher Jason Parker found more than 25 critical bugs in 19 platforms that let attackers exploit flaws in weak permission controls to then tamper with important government apps, including voter registration systems, legal documents for court cases, and sealed medical records.

In one example during this election season, a critical flaw in Georgia’s voter registration cancellation portal exposed how malicious actors could easily exploit basic public information to cancel voter registrations. The issue involved bypassing the driver's license or Social Security number requirement, leaving the registration of any voter susceptible to exploitation.

Another glaring example revolved around flaws in public records management platform Granicus GovQA. Parker said attackers could easily reset passwords without verifying a user’s identity and gain access to user names and emails by manipulating web addresses. Armed with this level of control, bad actors could hijack accounts, change the ownership of public records, or lock legit users out of their own requests.

“The vulnerabilities exposed in these platforms are more than just technical oversights — the serious and repeated nature of these vulnerabilities is undermining public trust in the corporations and institutions entrusted with managing our most sensitive legal and personal information,” wrote Parker in a recent blog post.

Parker stressed that fixing these issues will take more than just patching a few bugs — he said it calls for a complete overhaul of how security gets managed in court and public records systems. Parker said government agencies and courts must focus on robust permissions controls, stricter validation of user inputs into government systems, and regular security audits and penetration tests must become standard practice, not an afterthought after a cyberattack.

One important note: To date, there's no indication that any of these bugs were exploited in the wild.

Government systems at risk

Parker’s findings highlight a deep issue: government and legal systems rely on outdated infrastructure unfit for modern cybersecurity threats, said Jason Soroko, senior fellow at Sectigo. Soroko said penetration testing is useful, but it’s not enough. While it uncovers flaws, pentests do not fix the core weaknesses in legacy systems or address the need for proactive security. 

“While rip-and-replace may not be possible for these systems, penetration testing can help to point out where more monitoring is needed, but it may be impossible to employ the security controls that are necessary,” said Soroko. “Many government systems are 20 to 30 years old and lack modern features like strong authentication, encryption, and access controls. These gaps make them vulnerable to attacks. The fact that attackers can easily alter voter databases or access legal records shows the limits of relying on reactive measures like penetration testing.”

George McGregor, vice president at Approov, added that the vulnerabilities identified in government systems across the U.S. underscore a systemic issue regarding the protection of backend application programming interfaces. McGregor said these systems are highly susceptible to bot attacks, AI-driven exploitation, and fuzzing attacks, which can lead to unauthorized access, data corruption, and privilege escalation. 

“Vulnerabilities in voter databases are prime targets for nation-state actors aiming to interfere with elections,” said McGregor. “The ease with which someone could cancel voter registrations, as reported in Georgia, shows how attackers could disrupt elections. This could disenfranchise voters by invalidating registrations or altering records, potentially swaying election outcomes in targeted areas. These systems play an essential role in democracy, governance, and the justice system.”

Phil Wylie, offensive security expert at Horizon3.ai, agreed that courts and government agencies do need to do a better job with pen testing. Although the vulnerabilities were found in software platforms, Wylie said security teams should use pentests to thoroughly assess network infrastructure and hosts, including Wi-Fi networks.

“Pentests should be performed frequently since threat landscapes are constantly evolving and exploitable vulnerabilities are constantly discovered,” said Wylie. “However, a good security strategy should also include a vulnerability program that includes regularly executed vulnerability scans, patching, and vulnerability remediation. Supply chain issues should also be considered when assessing security and securing environments.” 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.