A vulnerability within the American Archive of Public Broadcasting’s web site allowed downloading of protected and personal media for years, with the flaw quietly patched this month.
BleepingComputer was tipped in regards to the flaw by a cybersecurity researcher who requested to stay nameless, stating that the flaw has been exploited since not less than 2021, even after the researcher beforehand reported it to the group.
After contacting AAPB in regards to the flaw, a spokesperson confirmed the difficulty, and the researcher validated that the repair was applied inside 48 hours.
“We’re dedicated to defending and preserving the archival materials within the AAPB and have strengthened security for the archive,” said AAPB’s Communications Supervisor, Emily Balk, to BleepingComputer.
“We stay up for persevering with to make public media historical past free and accessible to the general public.”
The American Archive, operated by WGBH Academic Basis (GBH) and the Library of Congress, is a public nonprofit archive whose mission is to gather, digitize, and protect traditionally important content material produced by public radio and tv in america.
BleepingComputer was informed that the AAPB vulnerability first circulated as a rumor in on-line discussions in regards to the leak of the Sesame Road “Depraved Witch of the West” episode on the Misplaced Media Wiki Discord channel.
Misplaced Media Wiki took down the episode, saying that it was “seemingly obtained in an unlawful data breach,” urging members to chorus from re-sharing it on its Discord channel.
Initially secret, the exploit methodology started circulating in Discord preservation teams by mid-2024, resulting in additional leaks of protected content material on Discord servers centered on content material preservation.
Often known as knowledge hoarders, these communities dedicate themselves to archiving software program, web sites, working programs, and numerous types of media, together with TV exhibits, music, and films. Nevertheless, they usually function in a grey space, the place copyrighted content material is preserved and shared, blurring the road with digital piracy.
Even with AAPB’s takedown efforts, the exploit continued to flow into on numerous Discord servers and messaging apps, with a proof-of-concept shared with BleepingComputer exhibiting simply how straightforward it was to abuse.
The exploit shared with BleepingComputer is an easy Tampermonkey script that exploits an insecure direct object reference (IDOR) flaw, permitting customers to request media recordsdata by ID and bypass AAPB’s entry controls.
The bug enabled customers to vary the media ID parameter in media entry requests, permitting them to entry sources by the ID, even when they have been protected or personal.
Though the primary /media/{ID} pages had some entry controls, attackers may bypass them by tampering with fetch or XMLHttpRequest calls made within the background.
As a substitute of AAPB’s server rejecting these requests with a ‘403 Forbidden’ error, so long as the request had a legitimate media ID, the content material was served.
Whereas the vulnerability has now been mounted, it’s not identified how a lot content material was accessed and shared throughout the knowledge hoarder neighborhood.
The leak of content material at American Archive adopted one other incident earlier this 12 months, the place PBS worker contact info was leaked and unfold by Discord servers for followers of ‘PBS Youngsters.’
Each incidents illustrate how archival and fan communities can achieve entry to delicate or personal knowledge, even when it is not used for malicious functions.
46% of environments had passwords cracked, almost doubling from 25% final 12 months.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and knowledge exfiltration tendencies.
