A recent discovery has shed light on vulnerabilities in a popular tool used by state and local governments to manage public records requests. The tool, called GovQA and designed by IT services provider Granicus, contained flaws that could have allowed hackers to access unsecured files containing highly sensitive personal information.
The vulnerabilities, which have since been fixed, could have enabled hackers to not only download troves of unsecured files tied to records inquiries, but also to trick the system into letting individuals edit or change the metadata of records requests without administrators knowing.
Independent cybersecurity researcher Jason Parker uncovered these flaws and reported them to Granicus and the Cybersecurity and Infrastructure Security Agency (CISA). While Granicus has confirmed that the vulnerabilities did not result in a breach of their systems, the potential risk posed by these flaws is significant.
The flaws in the GovQA platform could have exposed personal information such as IDs, fingerprints, child welfare documentation, and medical reports. These vulnerabilities were centered on access to data within anonymous Freedom of Information Act requests, allowing bad actors to obtain personally identifying verification information submitted by requesters.
The company has taken steps to address the vulnerabilities and is working with customers to minimize the information collected and disclosed in the records request process. Despite Granicus assessing the vulnerabilities as “low severity,” cybersecurity experts have expressed concerns about the potential impact of these flaws.
The discoveries made by Parker highlight the ongoing challenges faced by state and local governments in securing sensitive data. The incidents also underscore the importance of implementing robust cybersecurity measures to protect sensitive information from being exploited by malicious actors.
