Reverse engineering a $1B Legal AI tool exposed 100k+ confidential files (alexschapiro.com)

A significant security vulnerability has been uncovered in Filevine, a rapidly growing legal AI tool valued at over $1 billion. The issue, discovered by a cybersecurity researcher, involved a lack of authorization checks on a demo environment, allowing access to an admin token for a law firm's Box filesystem. This unrestricted access exposed over 100,000 confidential files, including sensitive documents protected under HIPAA and court orders, posing a severe risk to client data and legal integrity. This incident highlights the critical need for strong data security measures in the burgeoning legal AI space, where firms are increasingly relying on such platforms for managing sensitive information. The researcher responsibly disclosed the vulnerability to Filevine, which responded promptly and committed to addressing the issue, showcasing best practices in cybersecurity communication. As the legal tech industry continues to grow, this incident serves as a cautionary tale for firms to rigorously vet the security of AI systems before sharing sensitive data.