FCC API gaffe potentially allowed malware to be uploaded to its site

Users were able to post disparaging public messages to the government site

The Federal Communications Commission's website, used to collect comments from users on the proposed rule changes on net neutrality, was found to have contained a flaw that appeared to allow almost any type of file to be uploaded to the system, including malware.

The weakness was first discovered by a 20-year-old university student who noticed that when comments are issued to the FCC's server, users were able to upload files without restriction that would be instantly published without oversight from site admins, according to security blogger Guise Bule who first broke the story.

The flaw was demonstrated somewhat brilliantly when a PDF was uploaded to the site claiming to be an apology from the FCC over the net neutraly proposals, which was then made accessible to the public:

It's important to note that users weren't circumventing security, they are simply using the FCC's own application programming interface (API), a key to which seems to be accessible to anyone with an email address.

Advertisement - Article continues below
Advertisement - Article continues below

The FCC has been using the API for comment system to gather public sentiment on proposals to scrap net neutrality, currently being championed by FCC chairman Ajit Pai. Almost 21 million comments have been made on the site, many of which are thought to have come from bots.

Following the initial post, users began to upload their own documentation to the site in an effort to test the restrictions of the API. File extensions including PDFs, gifs, mp4, and even exe made their way onto the site, some of which were up to 25MB in size.

The issue is that users could upload fake documents that appeared to have FCC letterheads, or potentially host malware on a US government website. The FCC has since disabled its public API pending an investigation, and it appears the hosted content is now unaccessible.

However, this was before a string of individuals used the exploit to post embarrassing documents to the site, including one that is still hosted as a PDF which reads: "F**k Net Neutrality. God Bless America".

"[Original poster] is a 20yr student at university and was goofing off from his homework and he decided to have some fun, he saw it as a dumb joke and had no idea that things would get so out of hand, or that others would follow his lead," said Bule.

"It's also important to note that OP believes that he never agreed to the FCC.gov TOS because he never applied for an API key, he just managed to get the URL through their faulty comment system, no hacking involved," he added.

Advertisement - Article continues below

In a statement to IT Pro, a spokesperson for the FCC said: "The FCC comment system is designed to maximize inclusiveness and part of that system allows anyone to upload a document as a public comment, which is what happened in this case.

"The Commission has had procedures in place to prevent malware from being uploaded to the comment system," the statement added, "and the FCC is running additional scans and taking additional steps with its cloud partners to make sure no known malware has been uploaded to the comment system."

It's another embarrassing blow for the FCC, which has already been criticised for its handling of its comment system. Hundreds of thousands of comments were found to have been made under identities stolen from data breaches, while downtime in May was ultimately blamed on a denial of service attack.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now


internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
cyber security

If not passwords then what?

8 Jan 2020
Policy & legislation

GDPR and Brexit: How will one affect the other?

9 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020