Slashdot Mirror

← Back to Stories (view on slashdot.org)

The FCC Website Lets You Upload Malware Using Its Own Public API Key (hackernoon.com)

Posted by msmash on from the curious-minds dept.

The FCC lets you upload any file to their website and make that file publicly accessible using the FCC.gov domain. Or rather they don't, but they have somehow not realized that they are letting people do it and telling them how in their own documentation. From a report: Take a look at this document about FCC Chairman Ajit Pai which has clearly not been put there by anyone who works at the FCC, neither has this one. Those currently uploading files are able to do this using the FCC's own public API, a key that they seem to send to anyone with any email address. Obviously I am not going to tell you how, but if you have enough of the right kind of technical experience the public FCC API documentation will. People seem to be experimenting uploading different filetypes, so far they have managed pdf/gif/ELF/exe/mp4 files up to 25MB in size, which means that you could easily host malware on the FCC.gov website right now and use it in phishing campaigns that link to malware on a .gov website.

7 of 41 comments (clear)

  1. How long before it is hosting kiddy porn by Bob+the+Super+Hamste · · Score: 3, Interesting

    How long before it is hosting kiddy porn and will the FBI raid them?

    --
    Time to offend someone
  2. So...Slashdot expects me... by Anonymous Coward · · Score: 3, Interesting

    to download random files of unknown origin, from a website they say can't be trusted? That is, if I am to believe the article summary.

    1. Re: So...Slashdot expects me... by Ralgha · · Score: 2

      The first one is probably legit. It's an accurate description of Ajit Paid, and they want to apologise for how much of a tool he is.

  3. Decision Makers by bezenek · · Score: 4, Funny

    And these are the people who are making decisions about the future of the Internet?

    --
    Omne ignotum pro magnifico.
    1. Re:Decision Makers by lactose99 · · Score: 4, Insightful

      Making decisions? Its already made, to bend over backwards for Big Business at the expense of the public

      --
      Fully licensed blockchain psychiatrist
  4. the fles by mrwireless · · Score: 5, Interesting

    In case the files get removed or you use a text-only browser: The first PDF document looks like an official FCC letter and reads: Dear American citizenry, Weâ(TM)re sorry Ajit Pai is such a filthy spineless cuck. Sincerely, The FCC The second PDF is just an empty document with one line of profanity.

  5. RCE? by CODiNE · · Score: 2

    so far they have managed pdf/gif/ELF/exe/mp4

    Eh... interesting but boring. How about PHP/asp/py/pl/vbs and other server side languages?

    --
    Cwm, fjord-bank glyphs vext quiz