Is the service used by a million journalists and lawyers doing enough for security?

The Pacer court document service used by more than a million journalists and lawyers has raked in more than $1 billion since it was established in 1995, but a new report questions whether its administrators have put enough of that windfall into securing the system. Hanging in the balance is the reliability of a service that's crucial for the smooth functioning of the entire US federal court system.

Until Wednesday, Pacer suffered from a vulnerability that made it possible for hackers to charge download and search-query fees to other users, as long as those users visited a booby-trapped webpage while logged in to a Pacer website. Officials with the non-profit known as the Free Law Project also speculate that the same flaw—known as a cross-site request forgery—may also have allowed hackers to file court documents on behalf of unsuspecting attorneys who happened to be logged in to Pacer. If the speculation is correct, the flaw had the potential to severely disrupt or complicate ongoing court cases. Pacer administrators, however, have told Free Law the fraudulent filing hack wasn't possible.

Even if the hypothesis is wrong, the flaw still made it possible for hackers to cause Pacer users to be billed for services they never requested. The users would have a hard time figuring out why they were being charged for downloads and searches they never made. Even when the users changed passwords, their accounts could still rack up fraudulent charges whenever they were simultaneously logged in to the hacked or malicious site and one of the Pacer sites.

"Pretty egregious"

Free Law said the flaw was the result of Pacer failing to implement anti-CSRF protections that are standard on virtually all fee-based sites. The Open Web Application Security Project has long included CSRF in its top-10 list of website security flaws, and yet it's likely the protections have never been present during the 22 years Pacer has been in existence. Web development tools make it easy to include the protections in Web pages, but Free Law said it suspects Pacer doesn't use these tools. What's more, the absence of these standard protections—which typically are implemented by embedding tokens with a hard-to-guess sequence of characters in Web pages—would have been one of the first things any competent security professional would have caught during security audits that are also standard in the industry.

"We download a lot of data from Pacer," Mike Lissner, executive director of Free Law, told Ars. "For me, not seeing those tokens is like looking at a face and not seeing a nose. It's pretty egregious. Any sort of basic security audit will check for this kind of thing."

Adding to the concern, it took almost six months for the vulnerability to be fixed after Free Law privately reported it to the Administrative Office of the US Courts, the agency that administers Pacer. One possible reason for the delay, Free Law said, is that the 204 separate websites that make up Pacer aren't officially accountable to the AO. Instead, they are accountable to individual district, appeals, or bankruptcy courts. Another potential cause: the 204 sites aren't centrally managed. Instead, court staff around the country are responsible for putting security fixes in place.

There's no evidence that billing information or other user data was ever exposed. Then again, the scope of the Free Law investigation was extremely narrow and likely would not detect such weaknesses. Representatives of the AO didn't respond to e-mails and a phone call seeking comment for this post.

In a post published Wednesday, Free Law praised Pacer for its skill in responding to the vulnerability notification. Still, non-profit officials said they "have lingering concerns about the security of Pacer/ECF on the whole." The non-profit noted that many Pacer sites, including the one for the District Court for the Northern District of California, have received a failing grade from SSL Labs, a service from security firm Qualys that rates the strength of a site's transport layer security protections. The highest grade any Pacer site has received, Free Law said, is a C. Free Law went on to say administrations could improve the security and efficiency of the service by taking the following actions:

Centralizing and standardizing Pacer
Using a well-known Web-development kit or framework
Hiring a security consulting firm to do regular audits
Establishing a vulnerability disclosure policy and bug bounty program
Making freely available documents downloadable to anyone without the requirement to log in first.
In 2015—the last year for which revenue figures are available—Pacer brought in $145 million by charging users 10 cents for each downloaded page and varying fees for each search query they made, according to Free Law. Since 1995, its revenue has totaled more than $1.2 billion. If the AO spent even 10 percent of that amount on security, it's hard to imagine a flaw like the one discovered by Free Law being active for so long.

Update: Several hours after this post went live, AO Public Affairs Officer David Sellers e-mailed a statement. It read in part:

The PACER vulnerability you are inquiring about had been in existence for a number of years. There was never a threat that the vulnerability could be used to file documents in a case on behalf of an attorney or party without their knowledge. There was no ability for someone attempting to exploit this vulnerability to obtain documents from PACER. The only potential vulnerability was that a user’s bill could be incorrectly increased. That never occurred. In fact, there is no evidence that the vulnerability has ever been exploited.
Nevertheless, in less than six months we developed, tested, de-bugged, retested, rolled-out, and implemented the fix to the vulnerability in all courts.

As a matter of policy, we do not discuss the specifics of either IT or physical security. However, I can assure you that security audits and scans are conducted regularly on CM/ECF and PACER by security professionals. Any identified risks are prioritized and addressed based on their potential impact to the integrity and confidentiality of the system and the data it contains. The Judiciary has used anti-CSRF technology for many years.