README-2024-05-04-catalis-ez-filing-v4.md

EZ-Filing v4

Description

An insufficient permission check vulnerability in Catalis's EZ-Filing v4 eFiling platform allowed authenticated attackers to extract personal data, such as names, addresses, emails, and phone numbers, from user accounts by manipulating POST requests. This security flaw exposes users to potential identity theft and fraud.

EZ-Filing v4 is used by Georgia and South Carolina.

Details

• Method A: Navigating to the New Case Wizard section (https://ez-filing.net/georgia/NewCaseWizard.aspx) and using PageMethods.GetAccountInfo(12244); to retrieve information.
• Method B: Sending a direct POST request to https://ez-filing.net/georgia/NewCaseWizard.aspx/GetAccountInfo with JSON payload { "accountID": 12244 }, applicable to multiple state directories like /georgia/ and /southcarolina/.

Timeline

• 2024-03-24 - Vulnerability discovered in EZ-Filing v4.
• 2024-03-30 - Vulnerability details reported to Catalis.
• 2024-04-09 - Follow-up #1 sent to Catalis.
• 2024-04-19 - Follow-up #2 sent to Catalis.
• 2024-04-23 - Vulnerability report escalated to PSG Equity¹.
• 2024-04-23 - PSG Equity CISO confirms receipt of report and contacts Catalis management.
• 2024-04-30 - PSG Equity CISO says that the vulnerability has been fixed.
• 2024-04-30 - Vulnerabilities confirmed fixed.

Contact

Jason Parker

• Email: north@ꩰ.com
• Press: press@jeltz.org
• Mastodon: @north@ꩰ.com

Support

• If you enjoy my work, consider becoming a sponsor on Patreon or GitHub, and/or consider donating to the Electronic Frontier Foundation or St. Jude. Many hours of labor are put into researching and disclosing vulnerabilities.

Other Disclosures

• govtech.cc

Footnotes

1. Catalis CEO Scott Roza previously requested that I email him reports directly; no response was provided. The issue was escalated to PSG Equity's CISO. PSG Equity is a majority stakeholder of Catalis. ↩