Resolved: FCC Comment Filing System contains significant API security hole

[WMGroomAK]

Well, with the comment period closing for the FCC's net neutrality rules and all of the comments and site activity this has received, there is apparently a fairly significant security hole in their Application Programming Interface that allows anyone to upload any type of file to their site...

 

https://arstechnica.com/information-technology/2017/08/fccs-public-comment-api-lets-you-post-just-about-anything-to-gov-website/

Quote

The application programming interface for the FCC's Electronic Comment Filing System that enables public comment on proposed rule changes—such as the dropping of net neutrality regulations currently being pushed by FCC Chairman Ajit Pai—has been the source of some controversy already. It exposed the e-mail addresses of public commenters on network neutrality—intentionally, according to the FCC, to ensure the process' openness—and was the target of what the FCC claimed was a distributed denial of service (DDoS) attack. But as a security researcher has found, the API could be used to push just about any document to the FCC's website, where it would be instantly published without screening. That was demonstrated by a PDF published with Microsoft Word that was uploaded to the site, now publicly accessible.

 

Other researchers reproduced the vulnerability on August 30, posting about their findings to Twitter. Because of the open nature of the API, an application key can be obtained with any e-mail address.

 

While the content exposed via the site thus far is mostly harmless, the API could be used for malicious purposes as well. Since the API apparently accepts any file type, it could theoretically be used to host malicious documents and executable files on the FCC's Web server.

I would like to say that I'm surprised by this, but not really...  Probably a lowest bidder contract to put together the comment system...  If you do end up browsing any of the FCC comments, I would be cautious of any files that someone has uploaded...  Seems like it might make for a fairly efficient attack vector with some of the contentious issues that are going on.

 

Word Document that was uploaded:  https://ecfsapi.fcc.gov/file/DOC-578d579d1f000000-A.pdf

Quote

Dear American citizenry,

We’re sorry Ajit Pai is such a filthy spineless cuck.

 

Sincerely,
The FCC

 

UPDATE: At least it appears someone fixed this in a nearly timely fashion...  Don't like that it even existed in the first place as an obvious security hole.

http://www.bbc.com/news/technology-41124831

Quote

The Federal Communications Commission (FCC) has taken steps to secure its website after users discovered they could upload malware to it.

On Thursday, security researchers discovered a function connected to the US government agency website's comment system that let them upload files.

The site allowed anyone to sign up to obtain a software key that let them upload the files they wanted.

The FCC said there was no evidence malware had actually been uploaded.

"The FCC comment system is designed to maximise inclusiveness and part of that system allows anyone to upload a document as a public comment, which is what happened in this case," the FCC told the BBC.

"The Commission has had procedures in place to prevent malware from being uploaded to the comment system. And the FCC is running additional scans and taking additional steps with its cloud partners to make sure no known malware has been uploaded to the comment system."

At the time of writing it is no longer possible to upload files in this manner, the communications watchdog said.

 

Edited September 1, 2017 by WMGroomAK
Resolved News Article

[Bananasplit_00]

cant say i dont agree with the Word Document tbh.

[paradigm249]

looks legit, its a Word document