FCC Security Vulnerability: Anyone Can Upload Files To Goverment Website

A vulnerability discovered in the U.S. Federal Communications Commission’s Electronic Comment Filing System that allows the public to leave comment on proposed rule changes also allows for potentially malicious uploads to be hosted on the government website.

The exploit came to light late Wednesday night when a file that appeared to look like an official press release from the commission started making the rounds.

The brief but official-looking statement, stamped with the FFC’s seal and hosted on the commission’s website read, “Dear American citizenry, we’re sorry Ajit Pai is such a filthy spineless cuck. Sincerely, the FCC.”

While the document had all of the markings of an official FCC statement, the text—in which commissioner Chairman Ajit Pai is referred to in less-than-savory terms—is anything but official.

Despite reports the memo was an internal joke among staff that got leaked or was accidentally made public or suggestions it was posted by a dissenting staffer making their disapproval of the chairman known, the message was not an actual, official document but was instead created by someone with no affiliation with the FCC.

Instead, the statement came from a user who uploaded the file using the application programming interface (API) for the FCC's Electronic Comment Filing System—a service that can be used by anyone with an email address.

Security researchers discovered the API could be used to publish nearly any document directly to the FCC’s website, where it would be published instantly without undergoing any sort of screening process.

The controversial message directed at Chairman Pai, uploaded as a PDF document via the comment system API, served as evidence for just how easy is it for anyone to upload a file and have it hosted on the FCC’s site, complete with the .gov domain that makes it easily mistakable as an official file.

The API allows anyone with an email address upload files with no other type of verification. A user can upload files in the form of PDFs, GIFs, ELFs, MP4 videos and even executable files up to 25MB in size.

It’s not uncommon for PDF files to be used to disguise malware and trick users into download malicious files, but with support for .exe files, a user could directly upload malicious software to the FCC’s site and have it hosted on a .gov domain, making it easy to trick a victim into thinking the file is legitimate.

The FCC has not yet issued any statement on the vulnerability, though as of Wednesday night the commission’s comment system did stop handing out API keys to any person with an email address. It’s unclear if the FCC cut off that accessibility or if people overwhelmed the system with requests.

Meanwhile, the uploader of the fake FCC statement about Chairman Pai has spoken out and seems to regret the upload. Security blogger Guise Bule spoke with the uploader, who is a college student, about the document.

The student created the file as a joke and uploaded to the public comments for Chairman Pai’s proposal to roll back net neutrality protections. The student didn’t expect anyone would take notice—and especially didn’t expect to unearth a security vulnerability—given there are more than 21 million public comments on the net neutrality docket.