The API for the FCC’s Electronic Comment Filing System that allows public commentary on proposed rule changes such as the dropping of net neutrality laws currently being bootlegged by FCC Chairman Ajit Pai has been the cause of some debate already. It revealed the e-mail addresses of public commenters on network neutrality deliberately, according to the FCC, to secure the process’ openness and was the point of what the FCC required was a distributed denial of service (DDoS) attack. But as a security researcher has discovered, the API could be utilized to drive just about any document to the FCC’s website, where it would be immediately published without a filter. That was confirmed by a PDF published with Microsoft Word that was uploaded to the site, now openly accessible.
Other researchers repeated the vulnerability on August 30, posting about their conclusions to Twitter. Because of the open quality of the API, a request key can be obtained with any e-mail address.
While the content displayed via the site thus far is mostly inoffensive, the API could be used for spiteful purposes as well. Since the API clearly accepts any file type, it could probably be used to host malicious documents and executable files on the FCC’s Web server.
“I used a fake title and sent it to a Gmail account and it sent me an API key right away,” reported one researcher via Twitter under the account @hacktifish.
Take your time to comment on this article.