The FCC.gov Website Lets You Upload Malware Using Its Own Public API Key

Somewhat incredibly I am the first tech writer on the planet to break this story, but even more incredibly the FCC lets you upload any file to their website and make that file publicly accessible using the FCC.gov domain. Or rather they don’t, but they have somehow not realized that they are letting people do it and telling them how in their own documentation. Take a look at about FCC Chairman which has clearly not been put there by anyone who works at the FCC, neither has . this document Ajit Pai this one First Report Of The Breach On Twitter Those currently uploading files are able to do this using the FCC’s own , a key that they seem to send to anyone with any email address. public API FCC API Key Signup Confirmation Obviously I am not going to tell you how, but if you have enough of the right kind of technical experience the will. public FCC API documentation People seem to be experimenting uploading different filetypes, so far they have managed pdf/gif/ELF/exe/mp4 files , which means that you could easily host malware on the FCC.gov website right now and use it in phishing campaigns that link to malware on a . up to 25MB in size .gov website So far internet people have discovered that you can upload video and play it back using an FCC.gov link, though some have been having trouble uploading, while others playing with the vulnerability . are clearly not Check out this funny . FCC.gov hosted picture This is clearly hugely embarassing for the FCC and they will undoubtedly notice this and remove those articles at some point, possibly disabling public API use until they investigate further, possibly making a show of it. They can’t have people uploading fake communications carrying an FCC letterhead and pretending they are real document, the potential for fraudulent use is ridiculously high. This vulnerability is still being abused and people are playing with it right this moment, uploading all sorts of and . funny memes anti net neutrality documents Even though this story is so new that it hasn’t hit the mainstream tech media yet and even though we only just publicly realized this vulnerability existed, who knows how long it has been abused by people who found it earlier? **** UPDATE : Interview with OP **** I have just finished interviewing the guy who sent that very first PDF up onto the FCC website and he has asked me to keep his name confidential for now until we see how this story plays out tomorrow in the media. I verified his account by checking the original PDF documents metadata and it was created long before the first mention of this story on the web, long before I first noticed others using the vulnerability and before I wrote this. OP is legit and he stumbled across this vulnerability. He was commenting on the FCC.gov website just before midnight deadline and he realized that they assigned a URL to a file posting a comment. before The “express” comment filing system that most people are using does not allow you to attach files and I was using the more ‘robust’ filing feature. FCC.gov Commenting UI OP was pretty upset about Net Neutrality and decided to make a false document containing that now immortal sentence and upload it to the FCC. OP is a student at university and was goofing off from his homework when he decided to have some fun, he saw it as a dumb joke and had no idea that things would get so out of hand, or that others would follow his lead. He also did not think anyone would notice it, otherwise he would have written the document in a more mature way he told me. It’s also important to note that OP believes that he because he never applied for an API key, he just managed to get the URL through their faulty comment system, no hacking involved. never agreed to the FCC.gov TOS OP is scared and a lot of you are making him really worried about this, so its worth noting that he did not actually hack anything to upload his document. This kind of talk has OP worried. OP has already written to the to ask for advice, he really does believe he is about to enter a world of pain for this and because he thought that nobody would see it, he took no privacy precautions. Electronic Frontier Found My heart goes out to this guy and he has a job interview in the morning, I told him to stop watching the internet and to get some sleep. **** UPDATE : The FCC are on it OR the horde is overloading them **** ? Let me know in the comments below! What do you think What’s that? You like the cut of my jib? Follow me on Twitter then and give me a CLAP using the clap button, you can clap more than once :) ** Please note that this article is in the public domain, reproduce it. ** Why I should proofread my articles when I can just blast them out and let you guys correct them (thank you) for me in private comments over time?