Several public websites designed to allow courts across the United States and Canada to manage personal information about potential jurors had a simple security flaw that easily exposed their sensitive data, including names and home addresses, TechCrunch has learned exclusively.
A security researcher, who asked not to be named for this story, contacted TechCrunch with details about the easily exploitable vulnerability and identified at least a dozen juror websites made by government software maker Tyler Technologies that appear to be vulnerable given that they run on the same platform.
The locations are across the country, including California, Illinois, Michigan, Nevada, Ohio, Pennsylvania, Texas and Virginia.
Tyler told TechCrunch that it is fixing the bug after we alerted the company to the information exposures.
The error meant that it was possible for anyone to obtain information about jurors selected for service. To log into these platforms, a juror is assigned a unique numerical identifier which could be brute-forced as the number was sequentially incremental. The platform also had no mechanism to prevent someone from flooding the login pages with a large number of guesses, a feature known as “rate limiting.”
In early November, the security researcher told TechCrunch that they identified at least one jury management portal for a county in Texas as vulnerable. Inside that portal, TechCrunch saw full names, dates of birth, employment, email addresses, cell phone numbers, and home and mailing addresses.
Other disclosed data included information shared in the questionnaires that potential jurors must fill out to see if they are qualified to serve on a jury.
In the portal seen by TechCrunch, the questions asked about the person’s gender, ethnicity, education level, employer, marital status, children, whether the person was a citizen, whether they were older than 18, and whether they had been convicted or charged with theft or a felony.
In some cases, the vulnerability could have exposed personal health data inside a juror’s profile. For example, if a juror had requested to be excused from service for health reasons, they may have disclosed what medical reason they believe disqualifies them. TechCrunch also saw an example of it.
Contact us
Do you have more information about vulnerabilities in Tyler Technologies products? Or other government technology? From a device that is not working, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382 or via Telegram and Keybase @lorenzofb or email.
TechCrunch alerted Tyler to the issue on November 5th. Tyler acknowledged the vulnerability on November 25.
In a statement, Tyler spokeswoman Karen Shields said the company’s security team confirmed that “a vulnerability exists where some jurors may have been accessible via a brute force attack.”
“We have developed a remedy to prevent unauthorized access and are communicating next steps with our customers,” the statement said.
The spokesman did not respond to a series of follow-up questions, including whether Tyler has the technical means to determine whether there was any malicious access to jurors’ personal information and whether it plans to notify people whose data was exposed.
This isn’t the first time Tyler has left sensitive personal data exposed on the internet. In 2023, a security researcher found that due to a separate security flaw, some US online court systems exposed sealed, confidential, and sensitive data, such as witness lists and testimony, mental health evaluations, detailed allegations of abuse, and company secrets.
In that case, Tyler fixed vulnerabilities in his Case Management System Plus product, which was used across the state of Georgia.
Two other government technology providers disclosed data in that case: Catalis, through its CMS360 product, a system used across several US states; and Henschen & Associates, through its CaseLook court system used in Ohio.