Parts of Twitter lit up on Wednesday evening with the news the Federal Communications Commission, which is now headed by Donald Trump appointee and unflinching net neutrality opponent Ajit Pai, had posted a statement insulting the chairman in the grossest possible terms.
The message—which is not real—is hosted on the FCC website, and purported to be a public relations statement just 16 words long: “Dear American citizenry, we’re sorry Ajit Pai is such a filthy spineless cuck. Sincerely, the FCC.”
Versions of the statement quickly made it to Y Combinator, where it was listed as an “internal ‘joke’ memo about Chairman Pai,” as well as Reddit, where various links to the statement gathered hundreds of upvotes.
The document is hosted on an official FCC domain, and can be viewed here. If it were actually composed by FCC staff, it would fall in line with the emerging cottage industry in federal employees letting loose their thoughts about the administration, few of which are positive.
Alas, the rebellious FCC employees in this case are a myth. The link to the supposed statement is ecfsapi.fcc.gpv, of which the first four letters stand for “electric comment filing system.” That’s the system the FCC uses for the public to upload comments about proposed policies and regulations, and pretty much anyone is free to upload whatever they want.
This Twitter user, for example, was able to upload a PDF to the system reading “Ayy lmao.”
Though it seems unlikely FCC staff are fond of their new chairman, yet another Trump appointee seemingly imposed with the mission of destroying the designated functions of their agencies, alas—this was not to be.
Update 8/31/17 2:11am ET: According to security blogger Guise Bule, files have been ending up on an official FCC domain because the agency freely offers information about its public API to the public—part of a design strategy Bule suggested could lead to anyone easily hosting “malware on the FCC.gov website right now and use it in phishing campaigns that link to malware on a .gov website.”
“OP is legit and he stumbled across this vulnerability,” Bule wrote. “He was commenting on the FCC.gov website just before midnight deadline and he realized that they assigned a URL to a file before posting a comment ... The ‘express’ comment filing system that most people are using does not allow you to attach files and he was using the more robust filing feature.”
“It’s also important to note that OP believes that he never agreed to the FCC.gov TOS because he never applied for an API key, he just managed to get the URL through their faulty comment system, no hacking involved,” Bule added.
In other words, the user said he was able to upload the file without requesting an API key and did so before actually submitting a comment—potentially indicating a vulnerability in the ECFS system.