A laughably insecure comment system has left US comms watchdog the FCC open to malware attack, and the agency doesn't seem to know what to do about it.
The security hole was spotted by a 20-year-old US university student, who found that when someone applies to put a comment onto the FCC website, the system allows almost any file type to be uploaded to its servers. Given the large number of files that can harbor malware, the FCC is making itself a target. THe flaw appears to be at least five months old.
"The bloke who found this is scared to death," Guise Bule, the security blogger who wrote about the hole, told The Register. "He's not a computer security whizz, just someone who spotted the issue."
The problem is that the FCC's public API is available to anyone with an email address, and publicly documented. It allows files of up to 25MB can be uploaded – more than enough space for a very nasty package of goodies indeed.
People have already started having fun with the site, posting up a document designed to look like an FCC comment from the agency's staff. The comment reads: "Dear American citizenry, We're sorry Ajit Pai is such a filthy spineless cuck. Sincerely, The FCC"
It now appears that the practice has been stopped, but with one important caveat, according to Bule. The demonstration key the FCC provides still appears to work.
Looks like they either stopped sending out new API keys or their system's overloaded. I tried requesting with two different email addresses.— Liam Kirsh (@choicefresh) August 31, 2017
"The FCC comment system is designed to maximize inclusiveness and part of that system allows anyone to upload a document as a public comment, which is what happened in this case," the agency told The Register.
"The Commission has had procedures in place to prevent malware from being uploaded to the comment system. And the FCC is running additional scans and taking additional steps with its cloud partners to make sure no known malware has been uploaded to the comment system." ®