Who says government agencies can’t innovate? The Fascist Communications Club Federal Communications Commission (FCC) has an online commenting systems that allows individuals to give their input on proposed rule changes. In addition to being a commenting system, the system also served as a file hosting service:
The application programming interface for the FCC’s Electronic Comment Filing System that enables public comment on proposed rule changes—such as the dropping of net neutrality regulations currently being pushed by FCC Chairman Ajit Pai—has been the source of some controversy already. It exposed the e-mail addresses of public commenters on network neutrality—intentionally, according to the FCC, to ensure the process’ openness—and was the target of what the FCC claimed was a distributed denial of service (DDoS) attack. But as a security researcher has found, the API could be used to push just about any document to the FCC’s website, where it would be instantly published without screening. That was demonstrated by a PDF published with Microsoft Word that was uploaded to the site, now publicly accessible.
I guess the FCC decided that since you’re already paying taxes to find it, it didn’t need to charge you for file hosting services.
The level of incompetency displayed by the government never ceases to amaze me. Commenting systems aren’t exactly rocket science, they have been available on websites for ages now. Most of those commenting systems managed to implement basic protections against uploading arbitrary files. Why didn’t the FCC just go with one of those services or at least hire a developer with some basic understanding of how to develop a commenting system that isn’t vulnerable to such a trivial exploit?
From what I’ve read, it doesn’t appear that the FCC has fixed this hole yet. While uploading arbitrary files to the FCC’s commenting service might cause you to run afoul with the Computer Fraud and Abuse Act, you still have access to a government provided free file hosting service.