The first PDF to be hosted and appear publicly.

The Website Lets You Upload Malware Using Its Own Public API Key

Somewhat incredibly the FCC lets you upload any file to their website and make it publicly accessible using the domain. Or rather they don’t, but they have somehow not realized that they are letting people do it and telling them how in their own documentation.

Take a look at (UPDATE : The links no longer work, the FCC has disabled them.) this document about FCC Chairman Ajit Pai which has clearly not been put there by anyone who works at the FCC, neither has this one.

First Report Of The Breach On Twitter

Those currently uploading files are able to do this using the FCC’s own public API, a key that they seem to send to anyone with any email address.

FCC API Key Signup Confirmation

I am not going to tell you how and obviously I have never actually done this myself, but if you have enough of the right kind of technical experience the public FCC API documentation tells you all you need to know.

From what I can see happening on Twitter, people seem to be experimenting uploading different filetypes and so far they have managed pdf/gif/ELF/exe/mp4 files up to 25MB in size.

This means that you could easily host malware on the website and use it in phishing campaigns that link to malware on a .gov website.

So far those with the technical chops have discovered that you can upload video and play it back using an link, some have been having trouble uploading, while others playing with the vulnerability are clearly not.

Check out this funny hosted picture, it was the first image hosted but am not going to link to any others, because you can imagine.

This is clearly hugely embarassing for the FCC and even though they seem to have disabled public API use until they investigate further, I am told that their DEMO API works just fine still and all the content is still hosted.

We can’t have people uploading fake communications carrying an FCC letterhead and pretending they are real documents, the potential for fraudulent use is ridiculously high and this vulnerability is easily abused.

This story is so new that it hasn’t hit the mainstream tech media yet (Update: The Register, Gizmodo, Vice and Breitbart covered this story) and even though we only just publicly realized this vulnerability existed, who knows how long it has been abused by people who found it earlier?

**** UPDATE : Interview with OP ****

I have just finished interviewing the guy who sent that very first cuck PDF up onto the FCC website and he has asked me to keep his name confidential for now until we see how this story plays out tomorrow in the media.

I verified his account by checking the original PDF documents metadata and it was created long before the first mention of this story on the web, long before I first noticed others using the vulnerability and before I wrote this.

OP is legit and he stumbled across this vulnerability, he then stumbled across my story and reached out to me to talk, agreeing to go on record.

He did this because he knows that I protect my sources.

Always have, always will.

OP was commenting on the website just before midnight deadline and he realized that they assigned a URL to a file before posting a comment.

The “express” comment filing system that most people are using does not allow you to attach files and I was using the more ‘robust’ filing feature. Commenting UI

OP was upset about Net Neutrality and decided to create a document containing the now immortal sentence and upload it to the FCC.

OP is a 20yr student at university and was goofing off from his homework and he decided to have some fun, he saw it as a dumb joke and had no idea that things would get so out of hand, or that others would follow his lead.

He also did not think anyone would notice his PDF, otherwise he would have written the document in a more mature way he told me.

It’s also important to note that OP believes that he never agreed to the TOS because he never applied for an API key, he just managed to get the URL through their faulty comment system, no hacking involved.

This is absolutely true, the FCC don’t enforce their TOS anywhere, you can signup here and here without ever having to agree to a terms of service agreement of any kind, so OP seemingly didnt break their TOS.

OP is scared and a lot of you are making him really worried about this, so its worth noting that he did not actually hack anything to upload his PDF.

This kind of talk has OP worried.

OP has already written to the EFF to ask for advice, he really does believe he is about to enter a world of pain for this, just as he is leaving university to begin his professional career and interviewing for jobs.

He thought that nobody would see it, so he took no privacy precautions.

I think we can all agree that OP was foolish, but fingers crossed nobody will harshly punish him for what is very obviously a flaw in the FCC website and a huge gaping hole in the FCC’s cybersecurity posture.

OP did us a favor and we are lucky that criminals didn't find it first.

Sponsor | Looking for a remote browser isolation solution? Check out WEBGAP, home of WEBGAP browser isolation and the WEBGAP remote browsing service.