Malware could potentially be hosted on the Federal Communication Commission’s official website due to a security vulnerability, according to a report.
“Somewhat incredibly I am the first tech writer on the planet to break this story, but even more incredibly the FCC lets you upload any file to their website and make that file publicly accessible using the FCC.gov domain,” explained security blogger Guise Bule on Hacker Noon, Wednesday. “Or rather they don’t, but they have somehow not realized that they are.”
The revelation comes after left-wing activists online were hoaxed into thinking that the FCC had issued a statement calling Chairman Ajit Pai a “filthy spineless cuck.”
The mock statement, which included the FCC’s logo and address, was uploaded by a troll to the FCC’s website using a system that allows the general public to upload “comments about proposed policies and regulations.”
Following the hoax, several other users also started to upload troll documents to the website, presenting a clear security risk that could prompt the public into falling for phishing scams which could easily be hosted on the secure and official looking .gov domain.
“People seem to be experimenting uploading different filetypes, so far they have managed pdf/gif/ELF/exe/mp4 files up to 25MB in size, which means that you could easily host malware on the FCC.gov website right now and use it in phishing campaigns that link to malware on a .gov website,” claimed Bule. “So far internet people have discovered that you can upload video and play it back using an FCC.gov link, though some have been having trouble uploading, while others playing with the vulnerability are clearly not.”
“This is clearly hugely embarrassing for the FCC and they will undoubtedly notice this and remove those articles at some point, possibly disabling public API use until they investigate further, possibly making a show of it,” he continued. “They can’t have people uploading fake communications carrying an FCC letterhead and pretending they are real document, the potential for fraudulent use is ridiculously high. This vulnerability is still being abused and people are playing with it right this moment, uploading all sorts of funny memes and anti net neutrality documents.”