Free Law Project has discovered a major vulnerability in the federal courts’ PACER system that could allow third parties to use a registered PACER account to purchase and download content such as docket reports and case filings. The vulnerability possibly could also be used by a malicious website to make unauthorized uploads to the ECF (Electronic Case Files) system used by attorneys to file documents online.
Free Law Project (FLP) discovered the vulnerability in February, as it briefly reported on its blog at the time, but it withheld details so that it could notify the Administrative Office of the Courts (AOC) and allow AOC time to resolve the vulnerability. Because AOC has now addressed the vulnerability, FLP has provided more details about what it found and why it matters.
However, even though the vulnerability is patched, Michael Lissner, executive director and CTO of FLP, tells me that he remains concerned about the aging PACER system’s continuing exposure unless the AOC takes concrete steps to shore up its security.
Background of the Discovery
In a blog post on Feb. 20, Lissner revealed that FLP had discovered what it believe to be a major vulnerability in the PACER system of websites for both electronic case filing and access to electronic court records. On Feb. 17, FLP notified the AOC, the agency that runs PACER, and gave it 90 days to fix the vulnerability.
On July 27, well after the 90 days had passed, the AOC contacted FLP and informed it that it had not yet fixed all of its sites. It should be noted that PACER is not a single website. Rather, it is 204 separate websites that are administered by local staff in federal courts throughout the country. When a security issue such as this is found, the fix has to be separately applied by local staff to each of these websites.
FLP agreed to extend the deadline to Aug. 6. On Aug. 3, the AOC told FLP that it has fixed 186 of the 204 sites and that the remainder should be fixed by the Aug. 6 deadline. Today, AOC notified FLP that the vulnerability has been resolved in all jurisdiction.
Nature of the Vulnerability
In a blog post published this morning and an accompanying explanation, Lissner said that the vulnerability was one known as a Cross Site Request Forgery (CSRF).
This type of vulnerability makes it possible for one website to take actions using an account on another website. For example, lawyers and journalists might be frequent users of a (fictional) website, “legal-news.com,” and also of the PACER/ECF system. Before this vulnerability was fixed, it would have been possible for underhanded operators of “legal-news.com” to make purchases using the PACER/ECF account of any of their visitors who happened to also be logged into PACER/ECF.
That means that someone who exploited the vulnerability could have made any number of purchases on a legitimate PACER account. Most likely, the vulnerability has existed for nearly two decades, FLP says. It has no knowledge that anyone ever actually did exploit the vulnerability. But law firms may want to review their PACER bills for unauthorized transactions.
The vulnerability could also have been exploited to upload unauthorized documents to PACER in the name of a legitimate attorney, FLP says:
Purchasing documents using somebody else’s account is one possibility. We also speculate, but were unable to prove without a testing version of PACER/ECF, that this vulnerability could be used to file documents on behalf of an attorney without their knowledge or consent. The administrators of PACER/ECF have indicated to us that they have determined that filing documents was not possible.
Note that not even changing your PACER password would have protected you, because the vulnerability occurs when you visit the malicious website while also logged into PACER.
Shoring Up the PACER System
Even though the AOC has now addressed and fixed this vulnerability, Lissner says this is no better than plugging holes in a failing dam. “You can plug the hole by fixing the current vulnerability,” he writes, “but more holes will soon appear, and slowly but surely, the dam will break.”
Lissner offers five recommendations for steps the AOC can take to improve PACER/ECF security:
- Centralize and standardize PACER/ECF. As noted above, a major challenge for the AOC is that PACER/ECF is not a single website, but 204 websites lacking central management. Not only is that an administrative problem in rolling out fixes, but it means that responsibility for the security of the PACER system is spread among hundreds of different people. Lissner recommends that PACER centralize and standardize these sites, a move that would both minimize security risk and save money.
- Begin using a well-known web development toolkit or framework. Nearly all modern tools for making websites include protection against CSRF out of the box. But the aged PACER system does not use these tools. “So long as PACER/ECF continues to have its own from-scratch solutions,” Lissner writes, “we can expect this kind of vulnerability to continue arising.”
- Hire a security consulting firm to do regular security audits. The most basic audit from a third-party consulting firm would have identified this and possibly other vulnerabilities, Lissner says.
- Establish a vulnerability disclosure policy and bug bounty program. Vulnerability disclosure policies are a common and straightforward way to provide guidance to researchers that identify problems with websites. The Department of Justice’s Cybersecurity Unit recently published a framework for creating such policies, which Lissner says would be a perfect starting point for the AOC to create its own.
- The AOC should implement a bug bounty program. Bug bounty programs are a common and effective way to motivate the public to come forward with vulnerabilities and to fairly compensate them for any that they discover, Lissner says.
Lissner has one other suggestion for how PACER could avoid this problem: make content freely available without requiring a log-in. He notes that PACER already allows opinions and orders to be downloaded for free. For such content, no log-in should be required, he argues. He further recommends that older content, for cases that are no longer active, also be made downloadable without a charge or log-in.
Why Does This Matter?
Now that PACER has fixed the vulnerability, why should anywhere care about this?
One reason is that no one yet knows whether the vulnerability was exploited. Even if an account holder had been a victim of this exploit, the account holder would not have realized it unless unusual activity was noticed on a PACER invoice. By making this known to the public, Lissner is putting PACER account holders on notice and giving them the opportunity to go back and check their invoices.
The other is, as Lissner says, that the dam is failing. Perhaps this will be a wake-up call to the AOC that it is time to bring the PACER system into the 21st Century.