FCC API gaffe potentially allowed malware to be uploaded to its site
Users were able to post disparaging public messages to the government site
The Federal Communications Commission's website, used to collect comments from users on the proposed rule changes on net neutrality, was found to have contained a flaw that appeared to allow almost any type of file to be uploaded to the system, including malware.
The weakness was first discovered by a 20-year-old university student who noticed that when comments are issued to the FCC's server, users were able to upload files without restriction that would be instantly published without oversight from site admins, according to security blogger Guise Bule who first broke the story.
The flaw was demonstrated somewhat brilliantly when a PDF was uploaded to the site claiming to be an apology from the FCC over the net neutraly proposals, which was then made accessible to the public:
It's important to note that users weren't circumventing security, they are simply using the FCC's own application programming interface (API), a key to which seems to be accessible to anyone with an email address.
The FCC has been using the API for comment system to gather public sentiment on proposals to scrap net neutrality, currently being championed by FCC chairman Ajit Pai. Almost 21 million comments have been made on the site, many of which are thought to have come from bots.
Following the initial post, users began to upload their own documentation to the site in an effort to test the restrictions of the API. File extensions including PDFs, gifs, mp4, and even exe made their way onto the site, some of which were up to 25MB in size.
The issue is that users could upload fake documents that appeared to have FCC letterheads, or potentially host malware on a US government website. The FCC has since disabled its public API pending an investigation, and it appears the hosted content is now unaccessible.
However, this was before a string of individuals used the exploit to post embarrassing documents to the site, including one that is still hosted as a PDF which reads: "F**k Net Neutrality. God Bless America".
"[Original poster] is a 20yr student at university and was goofing off from his homework and he decided to have some fun, he saw it as a dumb joke and had no idea that things would get so out of hand, or that others would follow his lead," said Bule.
"It's also important to note that OP believes that he never agreed to the FCC.gov TOS because he never applied for an API key, he just managed to get the URL through their faulty comment system, no hacking involved," he added.
In a statement to IT Pro, a spokesperson for the FCC said: "The FCC comment system is designed to maximize inclusiveness and part of that system allows anyone to upload a document as a public comment, which is what happened in this case.
"The Commission has had procedures in place to prevent malware from being uploaded to the comment system," the statement added, "and the FCC is running additional scans and taking additional steps with its cloud partners to make sure no known malware has been uploaded to the comment system."
It's another embarrassing blow for the FCC, which has already been criticised for its handling of its comment system. Hundreds of thousands of comments were found to have been made under identities stolen from data breaches, while downtime in May was ultimately blamed on a denial of service attack.
Digital Risk Report 2020
A global view into the impact of digital transformation on risk and security managementDownload now
6 ways your business could suffer if you don’t backup Office 365
Office 365 makes it easy to lose valuable data regularly, unpredictably, unintentionally, and for goodDownload now
Get the best out of your workforce
7 steps to unleashing their true potential with robotic process automationDownload now
8 digital best practices for IT professionals
Don't leave anything to chance when going digitalDownload now