
The FCC.gov Website Lets You Upload Malware Using Its Own Public API Key - knaik94
https://hackernoon.com/the-fcc-gov-website-lets-you-upload-documents-and-host-them-there-bdcd5c1a5b8b
======
guptaneil
This is a sad but easily fixed vulnerability on the part of the FCC. The
bigger issue, in my mind, is the fact that the student (presumably an American
citizen) who just uploaded a file via a public API is legitimately scared of
aggressive retribution from his government. That should speak volumes of where
we've fallen as a country.

~~~
Alex3917
> This is a sad but easily fixed vulnerability on the part of the FCC.

By law they need to share what you post publicly, including files. This
'vulnerability' has been around for decades.

~~~
guptaneil
Hosting files is a feature. The bug is doing so on the same domain as an
official government source. The fix is registering a non-gov domain like
fccusercontent.com and hosting files from there. (Also they should probably
limit the API to only accept pdf's, txt, and other reasonable file types.)

~~~
Alex3917
It seems more appropriate just to add a ~ to the url, indicating that it's a
user-uploaded file from an otherwise trusted domain. Browsers can then warn
users about that however they want.

~~~
krastanov
From some quick googling, it seems to me that having a ~ in the url is not a
standard, rather it is only a coincidence that most of the time it is used in
cases where the content is user uploaded (e.g. the user home directory on a
UNIX machine).

~~~
Alex3917
It's not a coincidence, the reason that universities and other content
providers follow this pattern is specifically to signal that the
company/institution doesn't vouch for whatever is being hosted.

~~~
jlgaddis
The reason is because that's how mod_userdir has worked for a couple of
decades or so.

It was a way to easily allow unprivileged users to share content from their
~/public_html/ directory.

~~~
Alex3917
Interesting. This makes sense from a technical perspective.

Nevertheless, it's clearly associated with UGC content, and as far as I know
there have never been any major sites that have hosted non-UGC content using
this scheme. (E.g. there is no history of use for things like Amazon product
pages or whatever.)

And in school we were always taught that content coming from user pages on
university systems shouldn't be cited as if it were academic content being
published or endorsed by the university. I'm sure others were taught the same.

~~~
p4lindromica
The reason this matters is the same origin policy, which tilde does not
protect you from

~~~
Alex3917
That makes sense. I still think there is good reason to create a standard
around this indicating UGC content within a subdomain though. For example:

\- Browsers might want to treat it differently for malware scanning purposes.

\- Content owners might want to treat it differently when filing automated
DMCA complaints.

\- Search engines might want to treat it differently for ranking purposes.

~~~
cyphar
One of the biggest reasons why GitHub (for example) uses a separate subdomain
is so that a persistent XSS exploit on their UGC domain cannot access HTTPOnly
cookies or other information from their real domain. Impersonation is a bigger
problem for a government, but it's also a security measure against how broken
the current security model for things like cookies is.

~~~
Alex3917
I get why subdomains can be useful for preventing XSS and CORS issues,
especially for non API-driven sites. The problem is that subdomains are used
for all sorts of things, so just because something is on a subdomain doesn't
signal that it's UGC content. Even if you hosted each person's content on its
own subdomain, it would still be useful to have a standard way to signal that
this content wasn't created by the organization who owns the domain.

The benefit of the tilde is that, at least as far as I know, it has never been
used for anything other than signaling that something is UGC content. (Even if
that was a technological accident and not its original intent.)

~~~
joombaga
> it would still be useful to have a standard way to signal that this content
> wasn't created by the organization who owns the domain.

Do you think the assumption that the content _was_ created by the organization
who owns the domain should be default? Wouldn't it be better for the
organization to provide a signature for the content it _did_ create?

~~~
Alex3917
> Do you think the assumption that the content was created by the organization
> who owns the domain should be default?

Sure, and I think that is the current assumption. What's missing is a way to
specify UGC content that wasn't created by the organization.

> Wouldn't it be better for the organization to provide a signature for the
> content it did create?

I don't think this would be viable for two reasons:

\- It would require people to do the work to opt in, without any obvious
incentive for doing so.

\- No obvious way to different UGC content from javascript dependencies,
fonts, ad trackers, etc.

Whereas there are good use cases for allowing folks to mark content as being
UGC. For example, let's say the game Draw Something wanted to let users upload
their creations. So no security issues, since images are created through their
own app, but they don't necessarily want everyone thinking that they're
spending all day creating and uploading millions of dick drawings either.

~~~
p4lindromica
I have no idea what problem you think you are solving. Could you clearly state
your goals and why you think they are broadly applicable?

~~~
Alex3917
So the original question was how to signal that files uploaded by users to the
FCC were not created by the FCC. Some people suggested entirely different
domains, but that's hacky and doesn't really solve the issue. And maybe the
content should be hosted on a subdomain for security reasons, but that still
doesn't solve the issue of signaling that it wasn't created by the FCC.

I suggested just adding a ~ to the domain name, because when you see a domain
name like this:

[http://www.cs.columbia.edu/~allen/](http://www.cs.columbia.edu/~allen/)

It's universally recognized that the content on that page was not created by
columbia.edu or cs.columbia.edu in an official capacity.

Other people said we can't do this because it's not an official standard, so I
said let's just make it a standard. Which I think is good because it keeps an
important piece of Internet culture alive by codifying it, which would let
people rely on it when designing new systems. And ultimately it should work
because there is no history of this URL pattern being used for non-UGC
content.

~~~
p4lindromica
it amazes me that you consider this post to be an accurate depiction of the
way the world is.

it appears your only goal is to be right.

------
phsource
After reading the API docs, it appears that the FCC operates a mini-
imgur/pastebin/file hosting service to help attach files to FCC filings:

[https://www.fcc.gov/ecfs/public-api-docs.html#Full-Filing-
St...](https://www.fcc.gov/ecfs/public-api-docs.html#Full-Filing-Step-1---
Upload-Files)

Unfortunately, these "temporary" file uploads end up accessible from the main
FCC domain (i.e. fcc.gov), unlike e.g., Google (e.g., "googleusercontent.com"
vs. "google.com"). In Google's case, the separate domain helps distinguish the
content as unofficial.

It's understandable why it was originally engineered this way, since it's
probably easier to create a subdomain under fcc.gov rather than to get an
unrelated domain, but that's why we ended up here!

~~~
throwaway2016a
"Easier" is a relative. And in this case relatively small.

The server and DNS configuration you need for a subdomain is identical to what
you need for separate domain. Possibly slightly more to manage if you are
using the "naked" domain because of the DNS issue with not supporting CNAME
records on the naked domain.

If you already have a wildcard SSL certificate for the subdomain a separate
domain might be more work because you need a new cert and you don't if you
stick with a subdomain.

The most work is actually buying the domain.

Then again, this is government we are talking about so buying a $10 domain is
probaly three weeks worth of paperwork.

~~~
doingmything
And how many layers of red tape do you think the dev would have to go through
to get a new domain?

~~~
throwaway2016a
On my team as a private company it looks like:

Dev: "Can I have a domain?" Me: "Sure" 10 minutes later done

In government I imagine you need a procurement order which needs to be
approved. And my anecdotal experience has been that the dev teams don't always
take high priority in those queues.

I'm sure it's not as hard as I made it out to be but it is certainly not as
straight forward as many of us are used to.

~~~
namdnay
It's not really linked to private vs public. It's more of an organisation size
question. I can guarantee that if you were working in a megacorp it would be
the same issue

~~~
52-6F-62
I work in a megacorp. Can confirm. Have to file tickets, and they have to seek
approvals for either delegation of server allotments and subdomains or new dns
pointers or worse.

I regularly need to host internal applications accessible by other staff and
often just do so from my machine during the daytime and send them updated IP
addresses/ports where they can access them... boss didn't even think it was
possible...

Yeah. I imagine the government processes are pretty convoluted.

~~~
paulmd
And this is how you get departments running their own infrastructure lava-
layered over the top of the unresponsive corporate IT...

~~~
52-6F-62
Pretty much.

Some of the tools are temporary mind you, and it's much quicker to run the
temp tool on my machine through the local network for a couple of weeks than
to spend a few days waiting on resource allocation and then getting it shut
down afterward.

Some of them are scheduled to be merged into larger projects that will seek
out the necessary permanent resources... in time.

And things always take their time. It's my first excursion into such a large
company and it is boggling at times. Things that would be small flaws in a
smaller business are magnified 10, or 100x.

------
dsfyu404ed
The description of the author of the pdf that made the rounds yesterday is
exactly what I expected.

It's a shame most organizations do not do a good job handling vulnerability
reports from outside sources and everyone knows is (so nobody tries to alert
the organization). I would be very surprised if he was the first
procrastinating college student to figure this out.

~~~
Klathmon
I'll send reports of vulnerabilities to some companies out there, but the US
government is one are I would never speak a word about any of this to.

If I had discovered this, I'd wipe my trail clean and never speak of it again.
The likely hood that I'd end up in federal prison for it is just way too high.

~~~
ShabbosGoy
I'm not sure why people are saying things like this.

Why would you go to Federal Prison for using an intended feature on a
government website?

~~~
Klathmon
Because I don't know how it was intended to be used.

Just because you can do something doesn't mean you are legally allowed to.
People have been prosecuted for simply opening URLs without any
authentication, and I know the specifics of that case were different, but it
still terrifies me that I might accidentally trigger a bug in a system that
looks "intended" to me, but to them looks like a malicious attack.

And once they have decided it's against their intention, i'm in the wrong.
There's no way for me to easily or quickly "prove" my intentions were pure or
my understanding was incorrect, and even if I could it's still months or years
of litigation possibly with me in jail.

And all of this goes doubly for trying to be a whitehat and letting the
government know about vulnerabilities. Saying "hey I found this vuln in your
system" is pretty much a confession that I did break the law and used a
computer system illegally.

------
peterwwillis
Unrelated: What is with the MAGA types that started them using 'cuck' as a
catch-all derogatory term? Do any of them realize it's a common sexual fetish
which people knowingly and consensually engage in? It's not actually an
insult, it's like saying "person who likes bondage".

~~~
openasocket
Etymologically, cuckhold used to refer to someone being cheated on without
their knowledge and consent (and still has that meaning in the dictionary,
though its usage is rather archaic now). Using it to refer to the fetish is
somewhat more recent. Historically, it has been used as a derogatory term or
insult in certain cultures and time periods. So their usage of it isn't
exactly unprecedented, though it is odd that it's been latched on to as a
generic insult.
[https://en.wikipedia.org/wiki/Cuckold](https://en.wikipedia.org/wiki/Cuckold)

~~~
phy6
So kind of like hosting files you didn't intend to.

------
Fjolsvith
...and probably get 10 years in federal prison for doing so.

~~~
koolba
... per upload.

~~~
travjones
... per megabyte.

~~~
sleepychu
It says here you uploaded something nasty called a "Mega Bite"? Please explain
that.

~~~
toomanybeersies
Given that prosecutors tried to show that Sergey Aleynikov was acting
maliciously by using Subversion [0] (obviously it's subversive!), I wouldn't
be surprised if they tried that.

[0]: [https://www.vanityfair.com/news/2013/09/michael-lewis-
goldma...](https://www.vanityfair.com/news/2013/09/michael-lewis-goldman-
sachs-programmer)

------
msimpson
At first, given the headline, I thought this was some new investigative
feature.

------
lsmod
It looks like they have fixed it (at least some part of it)

"Access Denied. File must be attached to a posted filing to be available."

------
azinman2
To me the real shock is someone who can figure this out is against net
neutrality! I thought only Comcast etc was against it.

[https://ecfsapi.fcc.gov/file/7521271363.pdf](https://ecfsapi.fcc.gov/file/7521271363.pdf)

