A vulnerability within the American Archive of Public Broadcasting’s web site allowed downloading of protected and personal media for years, with the flaw quietly patched this month.
BleepingComputer was tipped in regards to the flaw by a cybersecurity researcher who requested to stay nameless, stating that the flaw has been exploited since no less than 2021, even after the researcher beforehand reported it to the group.
After contacting AAPB in regards to the flaw, a spokesperson confirmed the problem, and the researcher validated that the repair was applied inside 48 hours.
“We’re dedicated to defending and preserving the archival materials within the AAPB and have strengthened safety for the archive,” said AAPB’s Communications Supervisor, Emily Balk, to BleepingComputer.
“We sit up for persevering with to make public media historical past free and accessible to the general public.”
The American Archive, operated by WGBH Academic Basis (GBH) and the Library of Congress, is a public nonprofit archive whose mission is to gather, digitize, and protect traditionally vital content material produced by public radio and tv in the USA.
BleepingComputer was advised that the AAPB vulnerability first circulated as a rumor in on-line discussions in regards to the leak of the Sesame Avenue “Depraved Witch of the West” episode on the Misplaced Media Wiki Discord channel.
Misplaced Media Wiki took down the episode, saying that it was “possible obtained in an unlawful information breach,” urging members to chorus from re-sharing it on its Discord channel.
Initially secret, the exploit methodology started circulating in Discord preservation teams by mid-2024, resulting in additional leaks of protected content material on Discord servers centered on content material preservation.
Referred to as information hoarders, these communities dedicate themselves to archiving software program, web sites, working programs, and numerous types of media, together with TV exhibits, music, and films. Nonetheless, they usually function in a grey space, the place copyrighted content material is preserved and shared, blurring the road with digital piracy.
Even with AAPB’s takedown efforts, the exploit continued to flow into on numerous Discord servers and messaging apps, with a proof-of-concept shared with BleepingComputer displaying simply how straightforward it was to abuse.
The exploit shared with BleepingComputer is a straightforward Tampermonkey script that exploits an insecure direct object reference (IDOR) flaw, permitting customers to request media recordsdata by ID and bypass AAPB’s entry controls.
The bug enabled customers to alter the media ID parameter in media entry requests, permitting them to entry assets by the ID, even when they had been protected or personal.
Though the principle /media/{ID} pages had some entry controls, attackers may bypass them by tampering with fetch or XMLHttpRequest calls made within the background.
As an alternative of AAPB’s server rejecting these requests with a ‘403 Forbidden’ error, so long as the request had a legitimate media ID, the content material was served.
Whereas the vulnerability has now been mounted, it isn’t recognized how a lot content material was accessed and shared inside the information hoarder group.
The leak of content material at American Archive adopted one other incident earlier this yr, the place PBS worker contact data was leaked and unfold by way of Discord servers for followers of ‘PBS Youngsters.’
Each incidents illustrate how archival and fan communities can achieve entry to delicate or personal information, even when it is not used for malicious functions.
46% of environments had passwords cracked, almost doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and information exfiltration tendencies.
