It was discovered that a vulnerability in a legal assistance AI tool allowed outsiders to access nearly 100,000 confidential files.
AI is being used in many fields, and many AI services aimed at lawyers have also emerged. Meanwhile, security researcher
How I Reverse Engineered a Billion-Dollar Legal AI Tool and Found 100k+ Confidential Files | Alex Schapiro
https://alexschapiro.com/security/vulnerability/2025/12/02/filevine-api-100k
Filevine is a legal assistance tool with features such as case management and document management, and has been valued at over $1 billion after multiple rounds of funding .
Shapiro noticed that law firms use Filevine to manage large amounts of confidential information, and he was interested in the type of security it implemented. While demo environments for legal assistance tools are typically only available to law firm personnel, Shapiro used a technique called
Simply accessing the site would simply display a loading page, but by analyzing the demo site using Chrome's developer tools and building a payload, we were able to get a response from the demo site.
Further analysis uncovered an administrator token for the organization's cloud storage service, Box. This token allowed full access to confidential and customer information stored on Box. Shapiro searched for the phrase 'confidential,' resulting in 98,693 files.
Shapiro reported the vulnerability to Filevine on October 27, 2025. He then received notification that the fix was complete on November 4, 2025.
Related Posts:
in Security, Posted by log1o_hf