The FCC Website Lets You Upload Malware Using Its Own Public API Key

The FCC lets you upload any file to their website and make that file publicly accessible using the FCC.gov domain. Or rather they don’t, but they have somehow not realized that they are letting people do it and telling them how in their own documentation. From a report: Take a look at this document about FCC Chairman Ajit Pai which has clearly not been put there by anyone who works at the FCC, neither has this one. Those currently uploading files are able to do this using the FCC’s own public API, a key that they seem to send to anyone with any email address. Obviously I am not going to tell you how, but if you have enough of the right kind of technical experience the public FCC API documentation will. People seem to be experimenting uploading different filetypes, so far they have managed pdf/gif/ELF/exe/mp4 files up to 25MB in size, which means that you could easily host malware on the FCC.gov website right now and use it in phishing campaigns that link to malware on a .gov website.

Share on Google+

of this story at Slashdot.

    

Posted in Uncategorized