Written byPatrick Howell O'Neill
The Federal Communications Commission’s website allows users to upload any file to the agency’s domain, including malware, GIFs and one strange and official-looking proclamation that grabbed the internet’s attention this week. The permissive nature of the site has stoked worries about potential security issues.
Here’s the problem: To enable public comment on proposed FCC rule changes, the application programming interface (API) on the agency’s Electronic Comment Filing System allows seemingly any document to be uploaded and published to the FCC’s website.
On Wednesday, a PDF uploaded through the comment system on FCC.gov slamming FCC chairman Ajit Pai made the rounds online.
— JON JOLLEE (@h3apspray) August 31, 2017
Pranks are obvious attention-getters but this can potentially be used in phishing and malware campaigns that point to the legitimate FCC.gov domain. An FCC spokesperson said the agency is running anti-malware scans and is working with cloud providers on additional security steps. Despite worries, no malware has been identified by the agency or outside observers.
FCC statement on ECFS system letting anyone upload comments, including last night's one about chair Ajit Pai being a cuck: pic.twitter.com/4AHvRhK14O
— Kevin Collier (@kevincollier) August 31, 2017
Although this is grabbing headlines today, it’s been around and used for years. Here’s a 2014 upload of the entirety of “War and Peace,” a 600,000-word novel transferred to the site just to try to prove that “none of these are going to be read by anyone anyway.”