The FCC Website Lets You Upload Malware Using Its Own Public API Key

The FCC lets you upload any file to their website and make that file publicly accessible using the FCC.gov domain. Or rather they don't, but they have somehow not realized that they are letting people do it and telling them how in their own documentation. From a report: Take a look at this document about FCC Chairman Ajit Pai which has clearly not been put there by anyone who works at the FCC, neither has this one. Those currently uploading files are able to do this using the FCC's own public API, a key that they seem to send to anyone with any email address. Obviously I am not going to tell you how, but if you have enough of the right kind of technical experience the public FCC API documentation will. People seem to be experimenting uploading different filetypes, so far they have managed pdf/gif/ELF/exe/mp4 files up to 25MB in size, which means that you could easily host malware on the FCC.gov website right now and use it in phishing campaigns that link to malware on a .gov website.

How long before it is hosting kiddy porn

[Bob+the+Super+Hamste]

How long before it is hosting kiddy porn and will the FBI raid them?

Re:How long before it is hosting kiddy porn

[the_skywise]

That's just what they want people to do. Track the malware files back to their uploaders.

It's a reverse honey-pot.

Re:How long before it is hosting kiddy porn

"That's just what they want people to do. Track the malware files back to their uploaders."

Starbucks?

Re:How long before it is hosting kiddy porn

Remember Spicey's feud with Dip-n-Dots? Well, Chairman Pai hates Starbuck's. Something about "not being a real unicorn".

Re:How long before it is hosting kiddy porn

All I gotta say is: yet another evidence of Trump - Russia collusion.
Hitler impeachment any day now. Hillary 2020!

Re:How long before it is hosting kiddy porn

You crack me up...

Re:How long before it is hosting kiddy porn

Perhaps never...
There may be some kind of filter after upload that look for malware and other undesirable content. It is trivial to have a malware scanner embedded in the upload process. Looking for porn might be a bit harder, but perhaps modern AI can even handle that.
The only way to know for sure is to try it. I lack source material, so I will leave that as an exercise to the reader.

Re:How long before it is hosting kiddy porn

[chuckugly]

Two birds, with a publicly funded stone.

Re:How long before it is hosting kiddy porn

[R3d+M3rcury]

I'm thinking it's Obama's fault.

Re:How long before it is hosting kiddy porn

What's wrong with Russia colluding with USA to become more democratic? Why does everyone see this as a bad thing?

Hitler is dead and Hilary will never be president. I'd vote for anyone else, and did. She's corrupt to the core. At least he's corrupt towards himself rather than grabbing power for his party. Scope matters.

So...Slashdot expects me...

to download random files of unknown origin, from a website they say can't be trusted? That is, if I am to believe the article summary.

Re:So...Slashdot expects me...

They're just PDF files, what's the worst that could happen?

Re:So...Slashdot expects me...

VirusTotal currently sees them both as clean.

7521271363.pdf - https://www.virustotal.com/#/file/0ebe6eba267865b1aaef9d85fa62310bd9183af020ded50295c56a4b74e98a53/detection

DOC-578d579d1f000000-A.pdf - https://www.virustotal.com/#/file/76b70ae6f0db01c721e39f4bebc00b0aa207c26a8ae5bb5543b3dae266907c4b/detection

Re:So...Slashdot expects me...

DOC-578d579d1f000000-A.pdf:

To: The American People
From: The Federal Communications Commission
1-888-225-5322
445 12th Street SW, Washington, DC 20554
Dear American citizenry,
We’re sorry Ajit Pai is such a filthy spineless cuck.
Sincerely,
The FCC

7521271363.pdf:

Fuck Net Neutrality. God bless America!

Re: So...Slashdot expects me...

[Ralgha]

The first one is probably legit. It's an accurate description of Ajit Paid, and they want to apologise for how much of a tool he is.

Re:So...Slashdot expects me...

[Gavagai80]

If you use Adobe Reader to open the PDF, complete destruction of all life in the universe.

Re:So...Slashdot expects me...

Hahahahahaha awesome.

Re: So...Slashdot expects me...

The second is legit too. Get rid of inequity and receive a blessing.

Re:So...Slashdot expects me...

If you use Adobe Reader to open the PDF, complete destruction of all life in the universe.

Some say this has already happened.

Re:So...Slashdot expects me...

I'm not clicking that.

Anyone have an API key?

[technoid_]

Anyone mind sharing a valid API key?

Re:Anyone have an API key?

Damn you're lazy...

Read the summary and get your own.

Re:Anyone have an API key?

https://10minutemail.com/, now you can have your own.

Decision Makers

[bezenek]

And these are the people who are making decisions about the future of the Internet?

Re:Decision Makers

[lactose99]

Making decisions? Its already made, to bend over backwards for Big Business at the expense of the public

Re:Decision Makers

No. I highly doubt that Mr. Ajit Paid or Mignon Clyburn or any of the other commissioners or their staff write web apps or web pages. That said, they should have the USDS (US Digital Service) take a look at and fix their site.

Re:Decision Makers

[bobbied]

I hope you are not surprised by this.. The FCC has been this way for decades now.

Re:Decision Makers

Don't you worry about that! Web developers and the ubiquity of outrageously poorly implemented javascript has crippled and will ultimately destroy the WWW beyond all recognition long before Big Business has any chance to successfully create and roll-out any profit model that does anything but lose money. The public is safe. Web browsers? Not so much.

Re:Decision Makers

Making decisions? Its already made, to bend over backwards for Big Business at the expense of the public

Making decisions? Its already made, to bend over backwards for Civil Rights Extremists at the expense of the public.

There, FTFY.

the fles

[mrwireless]

In case the files get removed or you use a text-only browser: The first PDF document looks like an official FCC letter and reads: Dear American citizenry, Weâ(TM)re sorry Ajit Pai is such a filthy spineless cuck. Sincerely, The FCC The second PDF is just an empty document with one line of profanity.

Re:the fles

[mugurel]

I like how you regard the rejection of net neutrality as profanity.

Re:the fles

Your bias is showing, faggot.

DOC-578d579d1f000000-A.pdf:

To: The American People
From: The Federal Communications Commission
1-888-225-5322
445 12th Street SW, Washington, DC 20554
Dear American citizenry,
We’re sorry Ajit Pai is such a filthy spineless cuck.
Sincerely,
The FCC

7521271363.pdf:

Fuck Net Neutrality. God bless America!

If you live in America and don't like it, get the fuck out.

RCE?

[CODiNE]

so far they have managed pdf/gif/ELF/exe/mp4

Eh... interesting but boring. How about PHP/asp/py/pl/vbs and other server side languages?

Re:RCE?

[schleimkeim]

I really hope no one uses vbs as a server side language.

Re:RCE?

ASP.net can

Re:RCE?

Yup (*spits*) there's yer problem.

They'll fix it with Secret Sauce

Just as with their DDoS mitigation tactics, you can bet that they will fix this with some "commercial cloud partner" Secret Sauce. Because God knows, we can't expect the Federal Communications Commission to have in-house the technical skills to competently run a reasonably safe server that allows them to accept public comment and supporting evidence documents over The Internet.

Re:They'll fix it with Secret Sauce

This is what you get after enabling a Statist State.

Government will continue the rape of Liberty until it becomes so small that it can be drowned in a bathtub.

Corporate Agenda Comi$$ion

I hope you are not surprised by this.. The FCC has been this way for decades now.

Indeed, younguns should take a moment and watch Pump Up The Volume (again). Everybody knows the war is over.

<Comment Subject>

[easyTree]

Perhaps we might see an unexpected release on their site about how they've decided to 'do the right thing (tm)' re. net neutrality ?

unintended consequences

[nobuddy]

When they opened up the site for the auto-submit bots from Comcast and Verizon to flood their public feedback channel with ant-neutrality comments, this was a side effect.