Federal courts fix 'major' PACER security flaw
Thanks to help from a California nonprofit, the federal courts have patched a “major security vulnerability" in PACER.
On Wednesday, the Free Law Project, an organization dedicated to free, public access of legal materials, released a report commending the Administrative Office of the Courts for fixing the flaw.
The Free Law Project had, originally, notified the Administrative Office in February about the issue, giving them 90 days to resolve the issue before the Project would publish its findings for the general public.
“We are pleased to share that this issue is now properly addressed,” stated a blog post on the organization’s website.
The Free Law Project was concerned with a cross site request forgery vulnerability. This vulnerability put anyone signed into PACER at risk. As the recent statement explains, if a user of PACER was signed in and frequented a website, then underhanded administrators of that website could make purchases or, as the post speculates, file documents through the unwitting user’s PACER account.
The extent of the vulnerability is disputed by a spokesman for the Administrative Office of the Courts. “There was never a threat that the vulnerability could be used to file documents in a case on behalf of an attorney or party without their knowledge,” states David Sellers, a public affairs officer, over email. “The only potential vulnerability was that a user’s bill could be incorrectly increased.”
The Free Law Project believes this problem has existed since PACER instituted per-page fees in 1998. Both Sellers and the Free Law Project say there is no evidence this vulnerability was ever exploited.
With 1.5 million users and an annual income of $150 million, PACER is big enough to make itself a target, writes Mike Lissner, executive director of the Free Law Project and author of the blog post. Cross site request forgeries are ranked by the Open Web Application Security Project, a nonprofit online security organization, as the eighth-most-critical security risk of 2017.
While this flaw has been fixed, there is still more work to be done, according to Lissner’s post. The federal courts have 204 PACER and electronic filing sites across the country, each run by a different person with different priorities and budget. Centralizing and standardizing the PACER and electronic filing systems would help limit vulnerabilities and make the Administrative Office’s response time faster, according to the post.
It took about six months for the Administrative Office of the Courts to resolve the cross site request forgery issue.
The Free Law Project also recommends the Administrative Office use a modern and trusted web development framework, hire security consultants to do regular security audits and establish a bug bounty, which would pay rewards to developers that find and report vulnerabilities in the system.
Sellers said in a statement to that “security audits and scans are conducted regularly” on both PACER and the electronic case filing system, and that the “Judiciary has used anti-CSRF technology for many years.” As a matter of policy, he declined to discuss security procedures further.
Lissner also recommends making PACER, which stands for Public Access to Court Electronic Records, free. He argues, this would decrease the scope of vulnerability because people would not need to log in.
The Free Law Project is a staunch advocate for making the documents found in PACER free to the public. They operate RECAP, (PACER backwards), which is a free browser plug-in that collects downloaded documents from PACER and places them in a free-to-access public database.