Guise Bule

@guisebule

The FCC.gov Website Lets You Upload Malware Using Its Own Public API Key

August 30th 2017
The first PDF to be hosted and appear publicly.

Somewhat incredibly I am the first tech writer on the planet to break this story, but even more incredibly the FCC lets you upload any file to their website and make that file publicly accessible using the FCC.gov domain.

Or rather they don’t, but they have somehow not realized that they are letting people do it and telling them how in their own documentation.

Take a look at this document about FCC Chairman Ajit Pai which has clearly not been put there by anyone who works at the FCC, neither has this one.

First Report Of The Breach On Twitter

Those currently uploading files are able to do this using the FCC’s own public API, a key that they seem to send to anyone with any email address.

FCC API Key Signup Confirmation

Obviously I am not going to tell you how, but if you have enough of the right kind of technical experience the public FCC API documentation will.

People seem to be experimenting uploading different filetypes, so far they have managed pdf/gif/ELF/exe/mp4 files up to 25MB in size, which means that you could easily host malware on the FCC.gov website right now and use it in phishing campaigns that link to malware on a .gov website.

So far internet people have discovered that you can upload video and play it back using an FCC.gov link, though some have been having trouble uploading, while others playing with the vulnerability are clearly not.

Check out this funny FCC.gov hosted picture.

This is clearly hugely embarassing for the FCC and they will undoubtedly notice this and remove those articles at some point, possibly disabling public API use until they investigate further, possibly making a show of it.

They can’t have people uploading fake communications carrying an FCC letterhead and pretending they are real document, the potential for fraudulent use is ridiculously high. This vulnerability is still being abused and people are playing with it right this moment, uploading all sorts of funny memes and anti net neutrality documents.

Even though this story is so new that it hasn’t hit the mainstream tech media yet and even though we only just publicly realized this vulnerability existed, who knows how long it has been abused by people who found it earlier?

**** UPDATE : Interview with OP ****

I have just finished interviewing the guy who sent that very first PDF up onto the FCC website and he has asked me to keep his name confidential for now until we see how this story plays out tomorrow in the media.

I verified his account by checking the original PDF documents metadata and it was created long before the first mention of this story on the web, long before I first noticed others using the vulnerability and before I wrote this.

OP is legit and he stumbled across this vulnerability.

He was commenting on the FCC.gov website just before midnight deadline and he realized that they assigned a URL to a file before posting a comment.

The “express” comment filing system that most people are using does not allow you to attach files and I was using the more ‘robust’ filing feature.
FCC.gov Commenting UI

OP was pretty upset about Net Neutrality and decided to make a false document containing that now immortal sentence and upload it to the FCC.

OP is a student at university and was goofing off from his homework when he decided to have some fun, he saw it as a dumb joke and had no idea that things would get so out of hand, or that others would follow his lead.

He also did not think anyone would notice it, otherwise he would have written the document in a more mature way he told me.

It’s also important to note that OP believes that he never agreed to the FCC.gov TOS because he never applied for an API key, he just managed to get the URL through their faulty comment system, no hacking involved.

OP is scared and a lot of you are making him really worried about this, so its worth noting that he did not actually hack anything to upload his document.

This kind of talk has OP worried.

OP has already written to the Electronic Frontier Found to ask for advice, he really does believe he is about to enter a world of pain for this and because he thought that nobody would see it, he took no privacy precautions.

My heart goes out to this guy and he has a job interview in the morning, I told him to stop watching the internet and to get some sleep.

**** UPDATE : The FCC are on it OR the horde is overloading them ****

What do you think? Let me know in the comments below!

What’s that? You like the cut of my jib? Follow me on Twitter then and give me a CLAP using the clap button, you can clap more than once :)

** Please note that this article is in the public domain, reproduce it.

** Why I should proofread my articles when I can just blast them out and let you guys correct them (thank you) for me in private comments over time?

More by Guise Bule

More Related Stories