As Naked Security recently reported, The Free Law Project (FLP) said in a blog post that the vulnerability to a Cross Site Request Forgery (CSRF) has been patched by the Administrative Office of the Courts (AO), which operates the PACER/ECF system, on all of its 204 websites.
But the FLP said it had discovered it back in February, and added that it had probably existed in the system for nearly two decades – since the AO first implemented per-page fees, which are now 10 cents, billed quarterly.
The vulnerability could have been exploited by hackers not only to access legal documents through the accounts of legitimate users – with the bill being sent to those legitimate users (one wonders how often and carefully those bills are checked) – but even to file documents under the names of attorneys without their knowledge or consent. Not so sure that this kind of conduct would have escaped unnoticed.
CSRF is a common and pernicious attack – the Open Web Application Security Project (OWASP) ranked it eighth on its 2017 list of the Ten Most Critical Web Application Security Risks. As FLP puts it, the flaw enabling a CSRF is "easily found by hackers and can have significant impact on users … [by allowing] one website to take actions using an account on another website", adding that given PACER/ECF's 1.6m users and annual revenue of about $150m, "this type of vulnerability is extremely troubling."
FLP gave a sobering example of how it could happen on a fictional website it called legal-news.com, used by journalists and lawyers. As long as the vulnerability exists, a hacker on that site would be able to "make purchases using the PACER/ECF account of any visitor to their site who happened to also be logged into PACER/ECF", said the FLP.
FLP did compliment the AO's response, saying it had been "prompt and professional" in addressing the flaw. But, it said, "despite their skill in dealing with this issue, after discovering it we have lingering concerns about the security of PACER/ECF on the whole." Given the age of the system, says the FLP, simply fixing the CSRF flaw "is like plugging a hole in a failing dam … More holes will soon appear, and slowly but surely, the dam will break."
FLP recommends centralizing and standardizing PACER/ECF, which would make it much easier and faster to address other security flaws. The current system is not a single website, but 204 of them, all managed by different court staff across the country. Patching the CSRF hole took nearly six months, noted the FLP. The current decentralized system also means that "hundreds of people are responsible for the security of their installation of PACER/ECF, each with their own priorities, skills, budgets, and time constraints".
Oh yes, this is a recipe for disaster, no doubt about that.
The FLP said that none of the nearly 200 sites it had tested had a strong HTTPS configuration, "and many had poor configurations with basic errors, receiving an 'F' grade from SSLLabs," which reviews HTTPS configurations.
Other FLP recommendations include:
- Use a well-known web development toolkit or framework, nearly all of which have built-in protections against CSRF and other vulnerabilities.
- Hire a security consulting firm to do security audits, the most basic of which would have caught the CSRF flaw.
- Establish a vulnerability disclosure policy and bug bounty program.
- Consider making content that is already free – which includes opinions and orders – available without requiring a login.
Good for FLP for respectfully bringing this situation to light – and let us hope that its recommendations are taken seriously.
E-mail: email@example.com Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology