Is the PACER Security Problem Fixed or Not?
If you ever wondered about your federal court PACER bill, there was a good reason.
It turns out that the electronic access service had a software issue for decades. The flaw made it possible for hackers to access court documents and charge it to other user accounts.
The courts reportedly have fixed the problem. So do you trust the system now?
What PACER Problem?
Free Law Project, which reported the problem in February, said the Administrative Office of the Courts has now addressed the issue. Public Affairs Officer David Sellers said it wasn't really a problem.
"The only potential vulnerability was that a user's bill could be incorrectly increased," he said. "That never occurred. In fact, there is no evidence that the vulnerability has ever been exploited."
However, Free Law's Mike Lissner said it was definitely a problem. It revealed that PACER has failed to implement standard protections -- such as embedding tokens with complicated sequences on websites -- for a long time.
"For me, not seeing those tokens is like looking at a face and not seeing a nose," he told Ars Technica. "It's pretty egregious. Any sort of basic security audit will check for this kind of thing."
Time for an Upgrade?
While the vulnerability -- a potential cross-site request forgery -- has been sorted out, Free Law and others are calling for a security overhaul of PACER. They suggest a centralized solution for the 204 separate websites using the system.
"They also think that it would be a good idea for the AO to establish a vulnerability disclosure policy and bug bounty program, and hire a security consulting firm to do regular security audits," reported HelpNetSecurity.
Free Law said the "nature and severity of this bug indicates that the AO likely does not have a culture that properly prioritizes security, or that if they do, their current approach to security is not working."
Realted Resources:
- Court Won't Act on Computer Glitch That Generates Bad Orders and Warrants (FindLaw's Technologist)
- Technical Difficulties: What to Do When Gadgets Fail in Court (FindLaw's Technologist)
- 500 Smart Locks Fail After IoT Update (FindLaw's Technologist)