People Are Uploading Memes and Fake Documents to the FCC Website Using API Keys the Agency Gave Out

Mark Van Scyoc/Shutterstock.com

There’s no hacking involved here.

The US Federal Communications Commission has drawn criticism in recent months as its new chairman, former Verizon lawyer Ajit Pai, pushes to roll back key provisions of current net neutrality rules. The rules, which first went into place in 2010, require internet service providers like Verizon to offer equal access to all web content; Pai believes they were established based on “hypothetical harms and hysterical prophecies of doom,” and that they’re bad for business.

For months, the American public has been expressing its disdain for Pai’s proposals by filing thousands of complaints to the FCC’s Electronic Comment Filing System. Now, a security researcher has discovered a way to go beyond angry comments. At the moment, the FCC is granting API keys to the filing system to anyone who asks, and the recipients can use the keys to upload files to the FCC’s web servers. There’s no hacking involved here; the API documentation on the FCC’s website explains exactly how to upload files, and those who’ve received API keys from the agency are simply using them. The API was setup this way so that web developers can collect data on submitted comments and submit new comments from other websites.

The oversight was first noticed by a security researcher who posted a link and a screenshot of a fake government document to Twitter on Aug. 30. The document, which was published to the FCC.gov website, is a letter that includes the FCC’s seal and is addressed to “The American People.”

The letter reads:

Dear American citizenry,
We’re sorry Ajit Pai is such a filthy spineless cuck.
Sincerely,
The FCC

As others have learned about the lax restrictions on the API, other pieces of content have popped up on the website. One is a documentwith just one sentence: “Fuck Net Neutrality. God bless America!”

There’s also this goat joke:

Some of the files have been on the FCC’s servers for at least a full day so far, and the agency has yet to take them down or comment on whether it plans to fix the security hole.