A CSRF flaw that made it possible for attackers to access court documents on the PACER system while making legitimate users pay for it has finally been plugged.
What is PACER?
PACER is an electronic public access service of United States federal court documents – briefs, memos, orders, opinions, etc.
It is mostly used by lawyers, and to a lesser extent by journalists, but one has to have an account open with the service, and then pay to access most of the documents (per page or per document).
About the PACER vulnerability
The cross site request forgery was flagged in February 2017 by the Free Law Project, and pointed out to the Administrative Office of the Courts (AO), which manages federal court documents and runs PACER.
As the system is comprised of 204 websites and the security of each of them is managed by a different person at a different court, it took six months for the vulnerability to be patched in all of them.
“This vulnerability allows any website to use a visitor’s PACER account (their cookie) to download content from PACER including docket reports and PDFs,” the California-based non-profit organization explained.
“For example, lawyers and journalists might be frequent users of a (fictional) website, ‘legal-news.com,’ and also of the PACER/ECF system. Before this vulnerability was fixed, it would have been possible for underhanded operators of ‘legal-news.com’ to make purchases using the PACER/ECF account of any visitor to their site who happened to also be logged into PACER/ECF.”
They also posited (but couldn’t prove without a test account) that the flaw could have been exploited to upload file documents on behalf of an attorney without their knowledge, creating in the process problems for the lawyers, courts, and the AO. PACER administrators, though, indicated that this was not ultimately possible.
When was the flaw introduced?
The Free Law Project believes the introduction of the flaw dates back to when AO implemented per-page fees nearly two decades ago.
“Cross site request forgeries are not novel and do not require sophisticated hackers or researchers to discover. We identified this problem while gathering data from PACER, not while attempting to hack it or to research vulnerabilities,” they noted.
“Nearly all tools for making websites, such as Django, Spring, and AngularJS include protection for cross site request forgeries out of the box. PACER likely predates the creation of these tools and does not appear to use them.”
It seems that the flaw was not discovered by miscreants before this, or if it has, they took advantage of it sparingly and have not raised suspicions.
For the potential victims – the paying users – it would be difficult to prove that they have not, in fact, been the ones who actually purchased access to the documents, as the request effectively comes from the user’s computer. Perhaps now, with the existence of the flaw being made public, some will come forward with information that will point to current or past exploitation.
What should be done next?
While this vulnerability has now been fixed, the Free Law Project says that the PACER system could do with an overhaul, and that it would be better if it’s based on a well-known web development toolkit and it gets centralized (so that fixing vulnerability becomes easier, faster, and less costly).
They also think that it would be a good idea for the AO to establish a vulnerability disclosure policy and bug bounty program, and hire a security consulting firm to do regular security audits.