More Details on the PACER Vulnerability We Shared with the Administrative Office of the Courts
By Free Law Project Team
August 10, 2017
PACER/ECF is a system of 204 websites that is run by the Administrative Office of the Courts (AO) for the management of federal court documents. The main function of PACER/ECF is for lawyers and the public to upload and download court documents such as briefs, memos, orders, and opinions.
We are pleased to share that this issue is now properly addressed, and that we are now able to report more details about it. Throughout the process of researching, disclosing, and resolving this vulnerability, the AO has been prompt and professional, something that we greatly appreciate given the considerable constraints and complexities they are facing. However, despite their skill in dealing with this issue, after discovering it we have lingering concerns about the security of PACER/ECF on the whole.
In this post, we discuss three topics. First, we outline what the vulnerability was and how to identify if you were a victim of it. Second, we discuss why the vulnerability is troubling for a system of PACER/ECF’s size and importance. Third, we offer concrete actions that the AO can take to prevent this kind of problem in the future.
The Vulnerability and Possible Exploits
The vulnerability itself is a Cross Site Request Forgery (CSRF). This type of vulnerability makes it possible for one website to take actions using an account on another website. For example, lawyers and journalists might be frequent users of a (fictional) website, “legal-news.com,” and also of the PACER/ECF system. Before this vulnerability was fixed, it would have been possible for underhanded operators of “legal-news.com” to make purchases using the PACER/ECF account of any visitor to their site who happened to also be logged into PACER/ECF.
Purchasing documents using somebody else’s account is one possibility. We also speculate, but were unable to prove without a testing version of PACER/ECF, that this vulnerability could be used to file documents on behalf of an attorney without their knowledge or consent. The administrators of PACER/ECF have indicated to us that they have determined that filing documents was not possible.
For the users that were attacked by “legal-news.com,” their quarterly PACER/ECF bill would go up, but neither the AO nor the owner of the account would realize what was happening. Eventually, victims might discover the issue when their PACER/ECF bill arrived and might call the PACER/ECF Service Center to dispute unknown charges or unknown filings. But because this type of attack comes from a user’s computer, not from any centralized location, it would be nearly impossible for anybody to prove they were a victim or even to have any suspicions. Not even changing their password would help if they continued to visit “legal-news.com” while logged into PACER/ECF.
Although we believe this vulnerability has likely existed in the PACER/ECF website since the AO implemented per-page fees nearly two decades ago — CSRF protections would likely be difficult to accidentally remove — we have no knowledge of this vulnerability being exploited. We highlight the scenarios above so that PACER/ECF users can identify if they have been a victim of this vulnerability and take action if so.
Why This is Bad
The PACER/ECF system has an annual revenue of around $150M/year, and has around 1.6M registered users. At this scale, this type of vulnerability is extremely troubling. Cross Site Request Forgeries are ranked by the Open Web Application Security Project (OWASP) as the eighth most critical security risk in 2017 (PDF). These types of vulnerabilities are critical because they are easily found by hackers and can have significant impacts on users.
Cross site request forgeries are not novel and do not require sophisticated hackers or researchers to discover. We identified this problem while gathering data from PACER, not while attempting to hack it or to research vulnerabilities.
Nearly all tools for making websites, such as Django, Spring, and AngularJS include protection for cross site request forgeries out of the box. PACER likely predates the creation of these tools and does not appear to use them.
We are pleased that the Administrative Office of the Courts was able to resolve this issue, but a website of PACER/ECF’s scale and importance needs constant attention to security issues, which continually emerge in the modern web environment.
What Can the Administrative Office of the Courts Do?
When vulnerabilities of this age and severity are brought to light, one reaction is to look in your toolbox for a technical solution that can be brought to bear on the problem at hand. This reaction makes sense and is part of the solution, but this reaction is like plugging a hole in a failing dam. You can plug the hole by fixing the current vulnerability, but more holes will soon appear, and slowly but surely, the dam will break.
For the people at the AO, who have worked to fix this problem, the only solution to future problems is to build and maintain an organizational culture that values and invests in security. PACER/ECF is a website that serves vital legal information to millions of users and which has significant annual revenue. Issues like this must be avoided and investment needs to be made from the top down to prevent future vulnerabilities.
Beyond building a culture that values security, we identify several concrete actions the AO could take to improve the security of PACER/ECF:
We make these suggestions and are providing details about this vulnerability while recognizing two things. First, we are outsiders that are not privy to the internal workings of the AO or PACER/ECF. Second, we recognize that working within the government can be difficult and that the AO has challenging constraints that it must overcome when addressing issues like this one or making changes like those listed above.
We hope that this vulnerability and the discussion of it will encourage the AO to change their approach to security. PACER/ECF is a website used by millions of people who deserve to have a safe environment to do their work. The nature and severity of this bug indicates that the AO likely does not have a culture that properly prioritizes security, or that if they do, their current approach to security is not working. To the extent the concrete steps we have listed above can be implemented by the AO, they would help the AO to provide a secure system and to move towards a security-oriented culture.
We hope they do.