More Details on the PACER Vulnerability We Shared with the Administrative Office of the Courts

PACER Logo

PACER/ECF is a system of 204 websites that is run by the Administrative Office of the Courts (AO) for the management of federal court documents. The main function of PACER/ECF is for lawyers and the public to upload and download court documents such as briefs, memos, orders, and opinions.

In February we reported that we disclosed a major vulnerability in PACER/ECF to the AO. The proof of concept and disclosure/resolution timeline are available here.

We are pleased to share that this issue is now properly addressed, and that we are now able to report more details about it. Throughout the process of researching, disclosing, and resolving this vulnerability, the AO has been prompt and professional, something that we greatly appreciate given the considerable constraints and complexities they are facing. However, despite their skill in dealing with this issue, after discovering it we have lingering concerns about the security of PACER/ECF on the whole.

In this post, we discuss three topics. First, we outline what the vulnerability was and how to identify if you were a victim of it. Second, we discuss why the vulnerability is troubling for a system of PACER/ECF’s size and …

more ...

Free Law Project has Notified the Administrative Office of the Courts about a Major Security Vulnerability in the PACER/ECF System

Recently, as part of our routine business practices, we discovered what we believe is a major vulnerability in the PACER system of websites that we believe affects both the electronic case filing and public access portals.

At this time, as part of a responsible disclosure process, we have notified the appropriate parties at The Administrative Office of the Courts, the agency that runs PACER. According to industry norms, we have given them a broad 90 day window to resolve the vulnerability.

After the 90 days are up or the issue is resolved, we plan to publish the details of what we discovered, the ramifications of the discovery, and the solution that they have put in place, if any.

Further questions about the vulnerability can be directed to our contact form where you can find our GPG key, if needed.

more ...