FCC “apology” shows anything can be posted to agency site using insecure API

The Federal Communications Commission's website already gets a lot of traffic—sometimes more than it can handle. But thanks to a weakness in the interface that the FCC published for citizens to file comments on proposed rule changes, there's a lot more interesting—and potentially malicious—content now flowing onto one FCC domain.

The system allows just about any file to be hosted on the FCC's site—potentially including malware. The application programming interface (API) for the FCC's Electronic Comment Filing System that enables public comment on proposed rule changes has been the source of some controversy already. It exposed the e-mail addresses of public commenters on network neutrality—intentionally, according to the FCC, to ensure the process' openness—and was the target of what the FCC claimed was a distributed denial of service (DDoS) attack. But as a security researcher has found, the API could be used to push just about any document to the FCC's website, where it would be instantly published without screening. Because of the open nature of the API, an application key can be obtained with any e-mail address. While the content exposed via the site thus far is mostly harmless, the API could be used for malicious purposes as well. Since the API apparently accepts any file type, it could theoretically be used to host malicious documents and executable files on the FCC's Web server.