Court records system has been open to hackers for decades

Attention, all of you honest, upstanding users of the US Public Access to Court Electronic Records/Electronic Case File (PACER/ECF) system: you might have been paying for people not so honest and upstanding to use the system, thanks to an easily exploitable security hole.

The Free Law Project (FLP) reported in a blog post last week that the vulnerability to a Cross Site Request Forgery (CSRF) has now been patched by the Administrative Office of the Courts (AO), which operates the PACER/ECF system, on all of its 204 websites.

But the FLP said it had discovered it back in February, and added that it had probably existed in the system for nearly two decades – since the AO first implemented per-page fees, which are now 10 cents, billed quarterly.

The vulnerability, said the FLP,  could have been exploited by hackers not only to access legal documents through the accounts of legitimate users – with the bill being sent to those legitimate users – but even to file documents under the names of attorneys without their knowledge or consent.

CSRF is a common and pernicious attack – the Open Web Application Security Project (OWASP) ranked it eighth on its 2017 list of the Ten Most Critical Web Application Security Risks. As FLP puts it, the flaw enabling a CSRF is “easily found by hackers and can have significant impact on users … [by allowing] one website to take actions using an account on another website”, adding that given PACER/ECF’s 1.6m users and annual revenue of about $150m, “this type of vulnerability is extremely troubling”.

Naked Security’s Paul Ducklin offers a brief tutorial on CSRF here.

FLP gave an example of how it could happen on a fictional website it called, used by journalists and lawyers. As long as the vulnerability exists, a hacker on that site would be able to “make purchases using the PACER/ECF account of any visitor to their site who happened to also be logged into PACER/ECF”, said the FLP.

The organization has “no knowledge of this vulnerability being exploited”. But of course, one of the characteristics of a CSRF is that the victim doesn’t know that an unauthorized transaction has happened until it has been completed. And if users of PACER/ECF don’t scrutinize their bills, they might never be aware.

FLP did compliment the AO’s response, saying it had been “prompt and professional” in addressing the flaw. But, it said, “despite their skill in dealing with this issue, after discovering it we have lingering concerns about the security of PACER/ECF on the whole”.

Given the age of the system, says the FLP, simply fixing the CSRF flaw  “is like plugging a hole in a failing dam … More holes will soon appear, and slowly but surely, the dam will break”.

So, before the dam breaks, FLP recommends centralizing and standardizing PACER/ECF, which would make it much easier, and faster, to address other security flaws. The current system is not a single website, but 204 of them, all managed by different court staff across the country. Patching the CSRF hole took nearly six months, noted the FLP.

The current decentralized system also means that “hundreds of people are responsible for the security of their installation of PACER/ECF, each with their own priorities, skills, budgets, and time constraints”.

One result of that, said the FLP, was that none of the nearly 200 sites it had tested had a strong HTTPS configuration, “and many had poor configurations with basic errors, receiving an ‘F’ grade from SSLLabs,” which reviews HTTPS configurations.

The FLP’s other recommendations include:

  • Use a well-known web development toolkit or framework, nearly all of which have built-in protections against CSRF and other vulnerabilities.
  • Hire a security consulting firm to do security audits, the most basic of which would have caught the CSRF flaw.
  • Establish a vulnerability disclosure policy and bug bounty program. “Bug bounties are a tested means of building security communities in the private sector … (and) in the public sector they are gaining steam too,” FLP said, noting that the Pentagon, the Army and General Services Administration now use them.
  • Consider making content that is already free – which includes opinions and orders – available without requiring a login.

The AO did not respond to a request for comment. But Jim Manico, a global board member of the OWASP Foundation, said that while he thought most of the FLP’s security recommendations were “OK,” he was “not fond” of the recommendation to use a “well-known web development toolkit or framework”. He added:

Frameworks bring their own complexity and insecurity. Regardless of what you do, you specifically need to address these vulnerabilities in the right way.

He recommended looking at the OWASP CSRF Prevention Cheat Sheet. But he agreed that the CSRF vulnerability was “quite serious. Attackers can target users and make them trigger fake transactions without even knowing they are doing it,” he said, adding:

Especially when you combine this with logins that keep users logged in for very long periods of time, like when they support the ‘remember me’ feature.

In other words, this is an area where you actually have the right to be semi-forgotten. Use it.