FCC API could be misused to host malware on FCC's domain.

The Federal Communications Commission's website already gets a lot of traffic—sometimes more than it can handle. But thanks to a weakness in the interface that the FCC published for citizens to file comments on proposed rule changes, there's a lot more interesting—and potentially malicious—content now flowing onto one FCC domain. The system allows just about any file to be hosted on the FCC's site—potentially including malware.

The application programming interface for the FCC's Electronic Comment Filing System that enables public comment on proposed rule changes—such as the dropping of net neutrality regulations currently being pushed by FCC Chairman Ajit Pai—has been the source of some controversy already. It exposed the e-mail addresses of public commenters on network neutrality—intentionally, according to the FCC, to ensure the process' openness—and was the target of what the FCC claimed was a distributed denial of service (DDoS) attack. But as a security researcher has found, the API could be used to push just about any document to the FCC's website, where it would be instantly published without screening. That was demonstrated by a PDF published with Microsoft Word that was uploaded to the site, now publicly accessible.

JON JOLLEE @h3apspray
FCC has released a statement regarding Ajit Pai and net neutrality. https://ecfsapi.fcc.gov/file/DOC-578d579d1f000000-A.pdf … @FCC @AjitPaiFCC #NetNeutrality @Lucky225 @Hak5
9:01 PM - Aug 30, 2017
Other researchers reproduced the vulnerability on August 30, posting about their findings to Twitter. Because of the open nature of the API, an application key can be obtained with any e-mail address.

While the content exposed via the site thus far is mostly harmless, the API could be used for malicious purposes as well. Since the API apparently accepts any file type, it could theoretically be used to host malicious documents and executable files on the FCC's Web server.

waxwing slain 🎲 @hexwaxwing
Replying to @hacktifish and 2 others
...what the actual fuck?
Kenny @r3dey3
it's worse... you can upload any file you want!
10:18 PM - Aug 30, 2017
"I used a fake name and sent it to a gmail account and it sent me an API key right away," reported one researcher via Twitter under the account @hacktifish.

Ars has reached out to the FCC for comment, but we have not yet received a reply.