FCC API gaffe potentially allowed malware to be uploaded to its site

Users were able to post disparaging public messages to the government site

The Federal Communications Commission's website, used to collect comments from users on the proposed rule changes on net neutrality, was found to have contained a flaw that appeared to allow almost any type of file to be uploaded to the system, including malware.

The weakness was first discovered by a 20-year-old university student who noticed that when comments are issued to the FCC's server, users were able to upload files without restriction that would be instantly published without oversight from site admins, according to security blogger Guise Bule who first broke the story.

Advertisement - Article continues below

The flaw was demonstrated somewhat brilliantly when a PDF was uploaded to the site claiming to be an apology from the FCC over the net neutraly proposals, which was then made accessible to the public:

It's important to note that users weren't circumventing security, they are simply using the FCC's own application programming interface (API), a key to which seems to be accessible to anyone with an email address.

The FCC has been using the API for comment system to gather public sentiment on proposals to scrap net neutrality, currently being championed by FCC chairman Ajit Pai. Almost 21 million comments have been made on the site, many of which are thought to have come from bots.

Following the initial post, users began to upload their own documentation to the site in an effort to test the restrictions of the API. File extensions including PDFs, gifs, mp4, and even exe made their way onto the site, some of which were up to 25MB in size.

Advertisement - Article continues below
Advertisement - Article continues below

The issue is that users could upload fake documents that appeared to have FCC letterheads, or potentially host malware on a US government website. The FCC has since disabled its public API pending an investigation, and it appears the hosted content is now unaccessible.

However, this was before a string of individuals used the exploit to post embarrassing documents to the site, including one that is still hosted as a PDF which reads: "F**k Net Neutrality. God Bless America".

"[Original poster] is a 20yr student at university and was goofing off from his homework and he decided to have some fun, he saw it as a dumb joke and had no idea that things would get so out of hand, or that others would follow his lead," said Bule.

"It's also important to note that OP believes that he never agreed to the FCC.gov TOS because he never applied for an API key, he just managed to get the URL through their faulty comment system, no hacking involved," he added.

Advertisement - Article continues below

In a statement to IT Pro, a spokesperson for the FCC said: "The FCC comment system is designed to maximize inclusiveness and part of that system allows anyone to upload a document as a public comment, which is what happened in this case.

"The Commission has had procedures in place to prevent malware from being uploaded to the comment system," the statement added, "and the FCC is running additional scans and taking additional steps with its cloud partners to make sure no known malware has been uploaded to the comment system."

It's another embarrassing blow for the FCC, which has already been criticised for its handling of its comment system. Hundreds of thousands of comments were found to have been made under identities stolen from data breaches, while downtime in May was ultimately blamed on a denial of service attack.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now



10 quick tips to identifying phishing emails

16 Mar 2020
mergers and acquisitions

Panda Security to be acquired by WatchGuard

9 Mar 2020
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
video conferencing

Zoom beams iOS user data to Facebook for targeted ads

27 Mar 2020
high-performance computing (HPC)

IBM dedicates supercomputing power to coronavirus research

24 Mar 2020