Slashdot Mirror

← Back to Stories (view on slashdot.org)

The FCC Website Lets You Upload Malware Using Its Own Public API Key (hackernoon.com)

Posted by msmash on from the curious-minds dept.

The FCC lets you upload any file to their website and make that file publicly accessible using the FCC.gov domain. Or rather they don't, but they have somehow not realized that they are letting people do it and telling them how in their own documentation. From a report: Take a look at this document about FCC Chairman Ajit Pai which has clearly not been put there by anyone who works at the FCC, neither has this one. Those currently uploading files are able to do this using the FCC's own public API, a key that they seem to send to anyone with any email address. Obviously I am not going to tell you how, but if you have enough of the right kind of technical experience the public FCC API documentation will. People seem to be experimenting uploading different filetypes, so far they have managed pdf/gif/ELF/exe/mp4 files up to 25MB in size, which means that you could easily host malware on the FCC.gov website right now and use it in phishing campaigns that link to malware on a .gov website.

21 of 41 comments (clear)

  1. How long before it is hosting kiddy porn by Bob+the+Super+Hamste · · Score: 3, Interesting

    How long before it is hosting kiddy porn and will the FBI raid them?

    --
    Time to offend someone
    1. Re:How long before it is hosting kiddy porn by the_skywise · · Score: 1

      That's just what they want people to do. Track the malware files back to their uploaders.

      It's a reverse honey-pot.

    2. Re:How long before it is hosting kiddy porn by Anonymous Coward · · Score: 1

      "That's just what they want people to do. Track the malware files back to their uploaders."

      Starbucks?

    3. Re:How long before it is hosting kiddy porn by Anonymous Coward · · Score: 1

      All I gotta say is: yet another evidence of Trump - Russia collusion.
      Hitler impeachment any day now. Hillary 2020!

    4. Re:How long before it is hosting kiddy porn by chuckugly · · Score: 1

      Two birds, with a publicly funded stone.

    5. Re:How long before it is hosting kiddy porn by R3d+M3rcury · · Score: 1

      I'm thinking it's Obama's fault.

  2. So...Slashdot expects me... by Anonymous Coward · · Score: 3, Interesting

    to download random files of unknown origin, from a website they say can't be trusted? That is, if I am to believe the article summary.

    1. Re:So...Slashdot expects me... by Anonymous Coward · · Score: 1

      They're just PDF files, what's the worst that could happen?

    2. Re: So...Slashdot expects me... by Ralgha · · Score: 2

      The first one is probably legit. It's an accurate description of Ajit Paid, and they want to apologise for how much of a tool he is.

    3. Re:So...Slashdot expects me... by Gavagai80 · · Score: 1

      If you use Adobe Reader to open the PDF, complete destruction of all life in the universe.

      --
      This space intentionally left blank
  3. Decision Makers by bezenek · · Score: 4, Funny

    And these are the people who are making decisions about the future of the Internet?

    --
    Omne ignotum pro magnifico.
    1. Re:Decision Makers by lactose99 · · Score: 4, Insightful

      Making decisions? Its already made, to bend over backwards for Big Business at the expense of the public

      --
      Fully licensed blockchain psychiatrist
    2. Re:Decision Makers by bobbied · · Score: 1

      I hope you are not surprised by this.. The FCC has been this way for decades now.

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  4. the fles by mrwireless · · Score: 5, Interesting

    In case the files get removed or you use a text-only browser: The first PDF document looks like an official FCC letter and reads: Dear American citizenry, Weâ(TM)re sorry Ajit Pai is such a filthy spineless cuck. Sincerely, The FCC The second PDF is just an empty document with one line of profanity.

    1. Re:the fles by mugurel · · Score: 1

      I like how you regard the rejection of net neutrality as profanity.

  5. RCE? by CODiNE · · Score: 2

    so far they have managed pdf/gif/ELF/exe/mp4

    Eh... interesting but boring. How about PHP/asp/py/pl/vbs and other server side languages?

    --
    Cwm, fjord-bank glyphs vext quiz
    1. Re:RCE? by schleimkeim · · Score: 1

      I really hope no one uses vbs as a server side language.

  6. They'll fix it with Secret Sauce by Anonymous Coward · · Score: 1

    Just as with their DDoS mitigation tactics, you can bet that they will fix this with some "commercial cloud partner" Secret Sauce. Because God knows, we can't expect the Federal Communications Commission to have in-house the technical skills to competently run a reasonably safe server that allows them to accept public comment and supporting evidence documents over The Internet.

  7. Corporate Agenda Comi$$ion by Anonymous Coward · · Score: 1

    I hope you are not surprised by this.. The FCC has been this way for decades now.

    Indeed, younguns should take a moment and watch Pump Up The Volume (again). Everybody knows the war is over.

  8. <Comment Subject> by easyTree · · Score: 1

    Perhaps we might see an unexpected release on their site about how they've decided to 'do the right thing (tm)' re. net neutrality ?

    --
    Requiem for the American Dream
  9. unintended consequences by nobuddy · · Score: 1

    When they opened up the site for the auto-submit bots from Comcast and Verizon to flood their public feedback channel with ant-neutrality comments, this was a side effect.