Jason Parker on Muck Rack

Jason Parker

(He/they)
Hartford
Covers:  Cybersecurity, social justice, civil rights, and the law surrounding them.
He/they. cybersecurity researcher | independent journalist | software developer email: north@ꩰ.com mstdn: @north@ꩰ.com disclosures: govtech.cc

Jason Parker’s Journalist Portfolio

View as a grid

Vulnerability Disclosure: Granicus eFiling

Vulnerability Disclosure: Granicus eFiling

Jeltz — Several critical vulnerabilities were identified in Granicus's eFiling platforms. These vulnerabilities included the leakage of sensitive user information, the ability to modify user accounts without proper authorization, the potential to deny users access by duplicating usernames, and privilege escalation through manipulation of organization type codes.

Vulnerability Disclosure: Georgia Voter Registration Cancellation Portal

Vulnerability Disclosure: Georgia Voter Registration Cancellation Portal

Jeltz — A critical vulnerability was discovered in Georgia's voter registration cancellation portal, allowing unauthorized individuals to submit a cancellation request without proper identity verification. The issue involved bypassing the driver's license or Social Security number requirement, leaving the registration of any voter susceptible to exploitation.

Critical Flaws in Government Systems Put Legal and Voter Data at Risk

Critical Flaws in Government Systems Put Legal and Voter Data at Risk

Medium — A recent wave of cybersecurity disclosures has uncovered alarming vulnerabilities in the platforms that government agencies and courts rely on to manage sensitive public records and legal documents.

Vulnerability Disclosure: Thomson Reuters C-Track eFiling

Vulnerability Disclosure: Thomson Reuters C-Track eFiling

Jeltz — An insufficient permission check vulnerability in Thomson Reuters's C-Track eFiling system allowed users to assign themselves privileged roles, such as Clerk, during the registration process. By manipulating form data, attackers could gain unauthorized access to administrative functionalities and sensitive court data.

Vulnerability Disclosure: Granicus GovQA

Vulnerability Disclosure: Granicus GovQA

Jeltz — Several critical vulnerabilities were identified in Granicus's GovQA, a platform used by government agencies for case and document management. These vulnerabilities included the leakage of usernames and emails, the ability to reset passwords without answering security questions, and the capability to reset any password without knowing the username.

Vulnerability Disclosure: NYPD Officer Complaints

Vulnerability Disclosure: NYPD Officer Complaints

Jeltz — Insufficient permission check vulnerabilities in NYPD's officer complaints platform, RockDaisy Athlete Management System, allowed unauthenticated attackers to access the administrative dashboard. Attackers could view and edit user accounts, SQL queries, database connection information, and officer profile data. Additionally, it was possible to add malicious files (such as PDFs or executables) to the Azure datastore and serve them to users who requested officer complaints.

Vulnerability Disclosure: Maricopa County Superior Court eFiling

Vulnerability Disclosure: Maricopa County Superior Court eFiling

Jeltz — Insufficient permission check vulnerabilities allowed unauthorized users to access restricted documents through the Maricopa Superior Court eFiling system's API endpoint. These issues were due to the ability to manipulate user IDs in API requests, potentially exposing sensitive information from recent court filings.

Vulnerability Disclosure: Catalis EZ-Filing v3

Vulnerability Disclosure: Catalis EZ-Filing v3

ꩰ.com — Catalis EZ-Filing v3 -- An insufficient permission check vulnerability in Catalis's EZ-Filing v3 eFiling platform allowed authenticated users to access sealed documents, such as mental health reports in guardianship cases, exposing highly sensitive and confidential information. This security flaw compromises the privacy and safety of vulnerable individuals involved in legal proceedings. EZ-Filing v3 is used by Maine.

Vulnerability Disclosure: Catalis EZ-Filing v4

Vulnerability Disclosure: Catalis EZ-Filing v4

ꩰ.com — Catalis EZ-Filing v4 -- An insufficient permission check vulnerability in Catalis's EZ-Filing v4 eFiling platform allowed authenticated attackers to extract personal data, such as names, addresses, emails, and phone numbers, from user accounts by manipulating POST requests. This security flaw exposes users to potential identity theft and fraud. EZ-Filing v4 is used by Georgia and South Carolina.

Vulnerability Disclosure: Granicus GovQA

Vulnerability Disclosure: Granicus GovQA

ꩰ.com — Granicus GovQA -- Insufficient permission check vulnerabilities in Granicus's GovQA allowed unauthorized access to view, edit, and change ownership of open records requests1, including restricted-access confidential records. By changing ownership of a request, an attacker could effectively deny a legitimate user's access to that request. The vulnerabilities affected various deployments, including numerous Departments of Children and Family Services or their equivalents, which handle highly sensitive records of domestic violence and sexual abuse allegations against children.

Vulnerability Disclosure: Granicus eFiling

Vulnerability Disclosure: Granicus eFiling

ꩰ.com — Granicus eFiling -- Vulnerabilities in the eFiling platform from Granicus allowed attackers to register accounts in any organization of their choosing, including the organization that granted administrator privileges. Administrators have carte blanche access to all filings in all cases. Additionally, an organization owner could force any user into their own organization, which allowed the organization owner to effectively revoke privileges of administrators or other organization owners.

Vulnerability Disclosure: Disorder in the Court

Vulnerability Disclosure: Disorder in the Court

ꩰ.com — Disorder in the Court -- Insufficient permission check vulnerabilities in public court record platforms from multiple vendors allowed unauthorized public access to sealed, confidential, unredacted, and/or otherwise restricted case documents. Affected documents include witness lists and testimony, mental health evaluations, child custody agreements, detailed allegations of abuse, corporate trade secrets, jury forms, and much more.

Vulnerability Disclosure: BluHorse Inmate Management

Vulnerability Disclosure: BluHorse Inmate Management

ꩰ.com — BluHorse Inmate Management -- Leaked personal data of inmates and officers.

Vulnerability Disclosure: Bluesky social network / AT Protocol

Vulnerability Disclosure: Bluesky social network / AT Protocol

ꩰ.com — Bluesky social network / AT Protocol vulnerability disclosures and exploit framework --