When Uploading Comments to the FCC, you can Now Include Malware

The website of FCC (Federal Communications Commission) has massive traffic -- few times much more than it's handling capacity. But due to one weakness in interface that Federal Communications Commission published for the citizens to file its comments on the proposed changes in rule, there is much more interesting -- and possibly malicious -- content is now flowing in one of the FCC domain. System is allowing any file to get hosted on FCC's site -- possibly including malware.

As for what is happening here, Noon's Guise Bule, the hacker, wrote in one Medium post that FCC's system of comment-filing is almost letting anyone with some know-how to upload whatever they are feeling. As per Bule, people have uploaded GIFs and also .exe files up to 25mb in size.

That false memo alone might be weird enough, however at the moment folks on the Twitter have been posting FCC-hosted media which is containing everything from Morty and Rick GIFs to goat memes. motherboard.vice.com posted on August 31st, 2017, that mainly people have been treating FCC like its own personal cloud storage.

The vulnerability was reproduced by other researchers on Aug. 30, posting regarding their findings on Twitter. Due to open nature of API, the application key could be obtained from any e-mail address.

Although content exposed from the site is still mostly harmless, but the API can be used for the malicious purposes also. As API apparently is accepting any file type, thus it can be used theoretically for hosting executable files and malicious documents on Web server of FCC's.

In one emailed statement to the Motherboard, spokesperson of FCC, Brian Hart, says that they are taking steps for ensuring that no malware gets uploaded in their servers.

The comment system of FCC is designed for maximizing inclusiveness, and portion of FCC system allows anybody to upload document as public comment, which has taken place in this case. FCC has had measures in place for preventing malware from getting uploaded to its comment system. FCC is further running more scans, and is also taking extra steps with their cloud partners for making sure that no known malware gets uploaded to their comment system.

» SPAMfighter News - 9/8/2017