The State Bar of California exam results leak for July ‘22
There is something poetic about a privacy professional learning their bar results from a data leak.
At 6 PM PST on Nov. 10, 2022, the State Bar of California (“CA Bar”) released the official bar passage results for the July ‘22 exam. However, by that point, many individuals who sat for the July ‘22 exam had already learned of their results through two separate data leaks on the CA Bar’s website.
The Certified / Approved Leak
In order to sit for the California bar exam, an individual must first create an account on the CA Bar website. As part of this process, the user is given a profile for their account, which houses a wide range of personal information — name, address, phone number, Social Security, etc. For some reason, though, a user’s contact info section of their profile also contains this field:
At first glance, the field seems banal and uninteresting. However, a Reddit user noticed this field early on Nov. 9 because, according to their recollection, the field had displayed the word “Approved” the day before. To see if anyone else noticed a change, the user created Reddit posts in /r/CABarExam and /r/BarExam, asking for others to recall whether the field had changed that morning.
As it turned out, the field had changed, but not for everyone. Some users reported seeing Certified where once they saw Approved, but others said they still saw Approved.
So, they created an online poll to gather data.
As the subtext below the poll title indicates, Reddit users began developing a theory: individuals whose Registration Status changed to Certified may have passed the bar, whereas the users whose profile still displayed Approved had failed.
And this theory was supported by the poll’s results: the percentage of Certified users — at least in this data pool — tracked the approximate pass rate one would expect to see from the bar results.
This coincidence understandably sent Reddit users into a panic. People demanded to know whether Certified held any meaning over Approved, so one user called the CA Bar to inquire about the difference. The “Her” in the following call transcription is allegedly a CA Bar staff member.
This alleged direct-from-the-source correlation between Certified and passing the bar sent users even more into a panic, and more individuals called the CA Bar to inquire about whether Certified in fact means that the individual passed the bar exam.
However, rather than publicly address the concern and growing panic, the CA Bar instead removed the Registration Status field from all user profiles.
They gave no warning or indication as to why this one particular field had to be suddenly removed, so users naturally read this to mean that the Approved / Certified hypothesis was correct — that if you saw Certified in what appeared to be an insignificant data field in your contact information, you had passed the July ‘22 bar exam for California.
Now, it may seem at this point that Reddit users are reading too much into tea leaves. After all, the CA Bar’s silent removal of the Registration Status field is reasonable given the frenzy such a banal field seemed to be causing. The problem is, even if the field had meant nothing — which, as it turns out, it did very much mean something — the silent removal of the field in question stirred Reddit users into action. And it inspired one particular individual to comb the website for more publicly accessible indications of bar results.
And they found the motherload of results leaks.
The Console Log Leak
An applicant’s account on the CA Bar website contains a handful of various pages. These include the aforementioned profile page, an exam results page, and a page called “Status.” The CA Bar had updated the Status page about a week prior to the exam results being released, replacing the entire page with a simple notice to the user that the page would be unavailable until the 6 PM PST release time on Nov. 10, 2022.
However, some hours after the Certified / Approved debacle, a Reddit user discovered that if you used a browser’s developer tools function on the “Status” page of a user’s profile, you could see this:
Accessing this data required little technical knowledge. A user need only open their browser’s developer tools on the Status page, click on the Console tab, open the only Status Object item, and — voila! — the data. The availability of information in this particular way means a web developer at some point used a console.log() in the method to get the page’s data — most likely for testing purposes — yet failed to delete the console.log() before pushing the Status page live.
To be clear, web developers use console.log() to force a website to output particular data to a browser’s publicly accessible console, thereby allowing the web developer to see and troubleshoot problems. In other words, console.log() is a debugging method — one that should be shut down prior to launching a site, otherwise the console will continue to log information that the site owner may not want to be publicly accessible.
But, the CA Bar website still featured the console.log() method on the Status page, even though it was live to the public. So, although the Status page did not visibly display the data, the data remained publicly and easily accessible in every browser’s console.
And that data contained within each user’s console for the Status page contained a lot of personal information. Their name, address, law school, date the law school was accredited, whether they had passed the MPRE, and one very interesting field called CBX_Result__c.
The CBX_Result__c field appears to stand for California Bar Exam, which was supported by the fact that the field was followed by either Pass or Fail. Meaning, a user could see, via their console, whether they had passed or failed the July ‘22 bar exam, even though they still had more than 24 hours to wait for the official results.
Moreover, users took notice of the third field from the bottom: Registration_Status__c, followed by a data point that displayed either Certified or Approved. So, users again ran a poll online to see whether the earlier Certified / Approved leak had in fact correlated with whether users passed the bar exam.
And as the poll indicates, it sort of tracks, with the one wrinkle being that some people saw Approved and Passed. This was quickly theorized to mean the person passed the July ‘22 bar exam yet had not completed all requirements to be certified to the California Supreme Court for admission to practice law.
Again, this leak threw users to panic, and they began contacting the CA Bar for an explanation about the CBX_Result__c field. Even I tweeted at the CA Bar, because I believed they may not have been aware of the panic ensuing from what clearly appeared to be a bar results leak.
Yet, again, rather than make a public statement at the time, the CA Bar took a similar approach to how they handled the Certified / Approved debacle: they quietly removed the Status page from every user profile, thereby preventing users from seeing its console data.
Reddit users quickly realized, however, that although the Status page was no longer accessible as a link in a user’s account, users could still access the page using a direct URL. So the console log data was still available.
Which, again, caused users to believe that they had in fact discovered a results leak. And as it turns out, after the results were officially released on Nov. 10, users created a final Reddit post to see if their theories about the leaked data were true.
The answer: yes.
The CA Bar results for July ‘22 had leaked to the public more than 24 hours before the official release.
And lastly, the CA Bar finally acknowledged the leak in a press release on Nov. 10 — after the bar results had been officially announced.
But as the language above indicates, it is not clear at this time whether the CA Bar’s investigation will look outward or inward.