Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Free Access to Legal Docs Provided by Flaw in PACER Court System

A vulnerability found in the Public Access to Court Electronic Records (PACER) system operated by the Administrative Office of the U.S. Courts could have been exploited by hackers to access legal documents through the accounts of legitimate users.

A vulnerability found in the Public Access to Court Electronic Records (PACER) system operated by the Administrative Office of the U.S. Courts could have been exploited by hackers to access legal documents through the accounts of legitimate users.

PACER is an online public access service that allows users to upload and download case and docket information from federal appellate, district and bankruptcy courts. PACER charges $0.10 per page and users are billed every quarter.

The Free Law Project discovered that the system was affected by a cross-site request forgery (CSRF) vulnerability that could have been leveraged to download content from PACER without getting billed for it.

CSRF vulnerabilities are highly common, but that does not make them any less dangerous. The lack of CSRF protection on a website allows other pages opened in the same web browser to interact with the unprotected site.

In the case of PACER, a hacker could have obtained docket reports and other documents at no cost by getting a legitimate user to visit a malicious website while being logged in to the court system. The legitimate user would get billed for the files downloaded by the attacker.

“For users of PACER, unpaid fees can result in damage to their credit, and debt collectors sent to their door at the behest of the AO. They would never know why their PACER bill skyrocketed,” the organization said in a blog post. “For the Administrative Office of the courts, this vulnerability could create chaos in their billing department, and could badly damage the reputation of the organization.”

Free Law Project also believes attackers may have been able to exploit the flaw to upload documents on behalf of lawyers via PACER’s Case Management/Electronic Case Files (CM/ECF) system, but the Administrative Office of the U.S. Courts claimed it was not possible.

“The PACER/ECF system has an annual revenue of around $150M/year, and has around 1.6M registered users. At this scale, this type of vulnerability is extremely troubling,” Free Law Project said. ”Cross site request forgeries are not novel and do not require sophisticated hackers or researchers to discover. We identified this problem while gathering data from PACER, not while attempting to hack it or to research vulnerabilities.”

Advertisement. Scroll to continue reading.

Free Law Project initially said it was “quite possible” the vulnerability had been exploited in the wild, but in a blog post published on Wednesday it clarified that it has no knowledge of the flaw being exploited. A proof-of-concept (PoC) exploit is available on the organization’s website.

The vulnerability was discovered and reported in mid-February and it was patched by all jurisdictions earlier this month.

Related: CSRF Flaw Allowed Attackers to Hijack GoDaddy Domains

Related: XZERES Fixes CSRF Vulnerability in Small Wind Turbine

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.