A vulnerability within the American Archive of Public Broadcasting’s web site allowed downloading of protected and personal media for years, with the flaw quietly patched this month.
BleepingComputer was tipped concerning the flaw by a cybersecurity researcher who requested to stay nameless, stating that the flaw has been exploited since not less than 2021, even after the researcher beforehand reported it to the group.
After contacting AAPB concerning the flaw, a spokesperson confirmed the problem, and the researcher validated that the repair was carried out inside 48 hours.
“We’re dedicated to defending and preserving the archival materials within the AAPB and have strengthened safety for the archive,” acknowledged AAPB’s Communications Supervisor, Emily Balk, to BleepingComputer.
“We stay up for persevering with to make public media historical past free and accessible to the general public.”
The American Archive, operated by WGBH Academic Basis (GBH) and the Library of Congress, is a public nonprofit archive whose mission is to gather, digitize, and protect traditionally vital content material produced by public radio and tv in the US.
BleepingComputer was informed that the AAPB vulnerability first circulated as a rumor in on-line discussions concerning the leak of the Sesame Avenue “Depraved Witch of the West” episode on the Misplaced Media Wiki Discord channel.
Misplaced Media Wiki took down the episode, saying that it was “possible obtained in an unlawful knowledge breach,” urging members to chorus from re-sharing it on its Discord channel.
Initially secret, the exploit technique started circulating in Discord preservation teams by mid-2024, resulting in additional leaks of protected content material on Discord servers targeted on content material preservation.
Referred to as knowledge hoarders, these communities dedicate themselves to archiving software program, web sites, working techniques, and numerous types of media, together with TV reveals, music, and films. Nonetheless, they usually function in a grey space, the place copyrighted content material is preserved and shared, blurring the road with digital piracy.
Even with AAPB’s takedown efforts, the exploit continued to flow into on numerous Discord servers and messaging apps, with a proof-of-concept shared with BleepingComputer displaying simply how straightforward it was to abuse.
The exploit shared with BleepingComputer is a straightforward Tampermonkey script that exploits an insecure direct object reference (IDOR) flaw, permitting customers to request media recordsdata by ID and bypass AAPB’s entry controls.
The bug enabled customers to vary the media ID parameter in media entry requests, permitting them to entry sources by the ID, even when they had been protected or non-public.
Though the primary /media/{ID} pages had some entry controls, attackers might bypass them by tampering with fetch or XMLHttpRequest calls made within the background.
As an alternative of AAPB’s server rejecting these requests with a ‘403 Forbidden’ error, so long as the request had a sound media ID, the content material was served.
Whereas the vulnerability has now been mounted, it’s not recognized how a lot content material was accessed and shared inside the knowledge hoarder group.
The leak of content material at American Archive adopted one other incident earlier this yr, the place PBS worker contact data was leaked and unfold by way of Discord servers for followers of ‘PBS Children.’
Each incidents illustrate how archival and fan communities can acquire entry to delicate or non-public knowledge, even when it isn’t used for malicious functions.
46% of environments had passwords cracked, practically doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and knowledge exfiltration traits.
