FCC API gaffe potentially allowed malware to be uploaded to its site

Users were able to post disparaging public messages to the government site

The Federal Communications Commission's website, used to collect comments from users on the proposed rule changes on net neutrality, was found to have contained a flaw that appeared to allow almost any type of file to be uploaded to the system, including malware.

The weakness was first discovered by a 20-year-old university student who noticed that when comments are issued to the FCC's server, users were able to upload files without restriction that would be instantly published without oversight from site admins, according to security blogger Guise Bule who first broke the story.

The flaw was demonstrated somewhat brilliantly when a PDF was uploaded to the site claiming to be an apology from the FCC over the net neutraly proposals, which was then made accessible to the public:

It's important to note that users weren't circumventing security, they are simply using the FCC's own application programming interface (API), a key to which seems to be accessible to anyone with an email address.

The FCC has been using the API for comment system to gather public sentiment on proposals to scrap net neutrality, currently being championed by FCC chairman Ajit Pai. Almost 21 million comments have been made on the site, many of which are thought to have come from bots.

Following the initial post, users began to upload their own documentation to the site in an effort to test the restrictions of the API. File extensions including PDFs, gifs, mp4, and even exe made their way onto the site, some of which were up to 25MB in size.

The issue is that users could upload fake documents that appeared to have FCC letterheads, or potentially host malware on a US government website. The FCC has since disabled its public API pending an investigation, and it appears the hosted content is now unaccessible.

However, this was before a string of individuals used the exploit to post embarrassing documents to the site, including one that is still hosted as a PDF which reads: "F**k Net Neutrality. God Bless America".

"[Original poster] is a 20yr student at university and was goofing off from his homework and he decided to have some fun, he saw it as a dumb joke and had no idea that things would get so out of hand, or that others would follow his lead," said Bule.

"It's also important to note that OP believes that he never agreed to the FCC.gov TOS because he never applied for an API key, he just managed to get the URL through their faulty comment system, no hacking involved," he added.

In a statement to IT Pro, a spokesperson for the FCC said: "The FCC comment system is designed to maximize inclusiveness and part of that system allows anyone to upload a document as a public comment, which is what happened in this case.

"The Commission has had procedures in place to prevent malware from being uploaded to the comment system," the statement added, "and the FCC is running additional scans and taking additional steps with its cloud partners to make sure no known malware has been uploaded to the comment system."

It's another embarrassing blow for the FCC, which has already been criticised for its handling of its comment system. Hundreds of thousands of comments were found to have been made under identities stolen from data breaches, while downtime in May was ultimately blamed on a denial of service attack.

Featured Resources

Unleashing the power of AI initiatives with the right infrastructure

What key infrastructure requirements are needed to implement AI effectively?

Download now

Achieve today. Plan tomorrow. Making the hybrid multi-cloud journey

A Veritas webinar on implementing a hybrid multi-cloud strategy

Download now

A buyer’s guide for cloud-based phone solutions

Finding the right phone system for your modern business

Download now

The workers' experience report

How technology can spark motivation, enhance productivity and strengthen security

Download now

Recommended

What is e-safety?
e safety

What is e-safety?

27 Jan 2021
Your essential guide to internet security
Security

Your essential guide to internet security

27 Jan 2021
Mimecast links breach to SolarWinds hackers
Security

Mimecast links breach to SolarWinds hackers

27 Jan 2021
TikTok vulnerability exposed private user data
data protection

TikTok vulnerability exposed private user data

26 Jan 2021

Most Popular

WhatsApp could face €50 million GDPR fine
General Data Protection Regulation (GDPR)

WhatsApp could face €50 million GDPR fine

25 Jan 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
What is a 502 bad gateway and how do you fix it?
web hosting

What is a 502 bad gateway and how do you fix it?

12 Jan 2021