Washington County Government Faces New Cybersecurity Challenge with Unpatched Vulnerability

HAGERSTOWN, MD News (11/19/2023) – Less than a year after a cybersecurity incident on Thanksgiving Day 2022, Washington County, Maryland, is once again grappling with cybersecurity concerns. A recent report by a security researcher has revealed an unpatched vulnerability in the Accela Citizen Access site, adding to the county government’s ongoing challenges in securing its online systems.

According to information obtained from openbugbounty.org, the report identifies a Cross Site Scripting (XSS) vulnerability on the accela.washco-md.net website. Security researcher bousfiha_younes, recognized for responsible and coordinated disclosure with two badges, discovered the vulnerability and adhered to the ISO 29147 standard for disclosure.

The technical details of the vulnerability are currently withheld (“On Hold”) to allow the website operator sufficient time to address the issue without compromising systems or user data. Once the vulnerability is patched, the researcher may disclose the details publicly after a minimum waiting period of 30 days. In the event that the vulnerability remains unaddressed, the researcher has the option to disclose details after 90 days from the submission date.

Accela, the affected website, serves as Washington County Government’s online platform for permitting and land development records. This site was previously impacted by the cybersecurity incident during Thanksgiving 2022. However, the full extent of the impacts and what private information was compromised remain undisclosed by the Washington County Government.

The Open Bug Bounty Program, under which this report was filed, follows a coordinated disclosure timeline based on ISO 29147 guidelines. The vulnerability was reported on September 5, 2023, and verified on the same day. The website operator was promptly notified on September 5, 2023, using various channels, including the ISO 29147 guidelines, publicly available security contacts, the Open Bug Bounty notification framework, and contacts provided by the researcher.

The public report, published on September 5, 2023, refrains from providing technical details to prevent potential misuse of the vulnerability during the remediation process. A scheduled public disclosure of information is set for December 4, 2023, at 03:45 GMT.

The Washington County Government continues to grapple with the aftermath of the Thanksgiving 2022 cybersecurity incident, with key details about the extent of the impact and potential compromises in private information yet to be disclosed. As the county works to address the newly identified vulnerability in the Accela Citizen Access site, this further highlights the ongoing importance of robust cybersecurity measures to protect sensitive information and maintain public trust, and the importance of proper, timely disclosure of cybersecurity vulnerabilities and incidents.

Article by multiple RFHC contributors.