FCC API gaffe potentially allowed malware to be uploaded to its site

Users were able to post disparaging public messages to the government site

The Federal Communications Commission's website, used to collect comments from users on the proposed rule changes on net neutrality, was found to have contained a flaw that appeared to allow almost any type of file to be uploaded to the system, including malware.

The weakness was first discovered by a 20-year-old university student who noticed that when comments are issued to the FCC's server, users were able to upload files without restriction that would be instantly published without oversight from site admins, according to security blogger Guise Bule who first broke the story.

Advertisement - Article continues below

The flaw was demonstrated somewhat brilliantly when a PDF was uploaded to the site claiming to be an apology from the FCC over the net neutraly proposals, which was then made accessible to the public:

It's important to note that users weren't circumventing security, they are simply using the FCC's own application programming interface (API), a key to which seems to be accessible to anyone with an email address.

The FCC has been using the API for comment system to gather public sentiment on proposals to scrap net neutrality, currently being championed by FCC chairman Ajit Pai. Almost 21 million comments have been made on the site, many of which are thought to have come from bots.

Following the initial post, users began to upload their own documentation to the site in an effort to test the restrictions of the API. File extensions including PDFs, gifs, mp4, and even exe made their way onto the site, some of which were up to 25MB in size.

Advertisement - Article continues below
Advertisement - Article continues below

The issue is that users could upload fake documents that appeared to have FCC letterheads, or potentially host malware on a US government website. The FCC has since disabled its public API pending an investigation, and it appears the hosted content is now unaccessible.

However, this was before a string of individuals used the exploit to post embarrassing documents to the site, including one that is still hosted as a PDF which reads: "F**k Net Neutrality. God Bless America".

"[Original poster] is a 20yr student at university and was goofing off from his homework and he decided to have some fun, he saw it as a dumb joke and had no idea that things would get so out of hand, or that others would follow his lead," said Bule.

"It's also important to note that OP believes that he never agreed to the FCC.gov TOS because he never applied for an API key, he just managed to get the URL through their faulty comment system, no hacking involved," he added.

Advertisement - Article continues below

In a statement to IT Pro, a spokesperson for the FCC said: "The FCC comment system is designed to maximize inclusiveness and part of that system allows anyone to upload a document as a public comment, which is what happened in this case.

"The Commission has had procedures in place to prevent malware from being uploaded to the comment system," the statement added, "and the FCC is running additional scans and taking additional steps with its cloud partners to make sure no known malware has been uploaded to the comment system."

It's another embarrassing blow for the FCC, which has already been criticised for its handling of its comment system. Hundreds of thousands of comments were found to have been made under identities stolen from data breaches, while downtime in May was ultimately blamed on a denial of service attack.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now



University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular

Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020

How to find RAM speed, size and type

24 Jun 2020

The best server solution for your SMB

26 Jun 2020