American Archive of Public Broadcasting Patches Security Flaw

A significant security vulnerability within the American Archive of Public Broadcasting’s (AAPB) website, which enabled unauthorized downloads of protected and private media files for several years, has now been resolved. The flaw, which was quietly patched earlier this month, had reportedly been exploited since at least 2021. A cybersecurity researcher, who chose to remain anonymous, alerted BleepingComputer to the issue, noting that exploitation continued even after they had previously reported it to the organization.

Upon being contacted, AAPB confirmed the security problem. A spokesperson acknowledged the issue, and the researcher verified that a fix was successfully deployed within a remarkably short 48-hour window. Emily Balk, AAPB’s Communications Manager, emphasized the organization’s dedication to its mission, stating, “We’re committed to protecting and preserving the archival material in the AAPB and have strengthened security for the archive.” She added that they look forward to continuing to make public media history freely accessible to everyone.

The AAPB is a collaborative effort between the WGBH Educational Foundation and the Library of Congress. Its core purpose is to collect, digitize, and safeguard historically valuable content originally broadcast on public radio and television across the United States. The vulnerability first gained broader attention through online rumors, particularly in discussions on the Lost Media Wiki Discord channel concerning the leak of a specific Sesame Street episode. The Lost Media Wiki moderators subsequently removed the content, labeling its acquisition as likely stemming from an “illegal data breach” and instructing members not to redistribute it.

The exploit method, initially kept secret, began to spread more widely by mid-2024 among Discord communities dedicated to media preservation. These groups, often referred to as “data hoarders,” focus on archiving a vast array of digital content, from software and websites to television shows and movies. Their activities frequently occupy a gray area where the preservation of copyrighted material can blur into digital piracy. Despite AAPB’s attempts to issue takedowns, the exploit continued to circulate on various Discord servers and messaging platforms.

A proof-of-concept shared with BleepingComputer demonstrated the disarming simplicity of the vulnerability. It involved a basic Tampermonkey script that leveraged an Insecure Direct Object Reference (IDOR) flaw. This type of security weakness allowed users to manipulate the media ID parameter in requests, effectively bypassing the archive’s access controls to retrieve files that were supposed to be private or restricted. While the main web pages for media access had some protective measures, attackers could circumvent them by interfering with background network requests. Crucially, the server would deliver the content for any valid media ID instead of properly returning a ‘403 Forbidden’ error for unauthorized access attempts.

Although the security hole is now closed, the full extent of the content accessed and shared within data hoarding circles remains unknown. This incident follows another security lapse earlier this year involving the leak of PBS employee contact information, which also spread through Discord servers, including those for fans of PBS Kids. These events highlight a recurring pattern where passionate archival and fan communities can inadvertently, or sometimes intentionally, gain access to sensitive or copyrighted data, raising complex questions about digital preservation and security.

(Source: Bleeping Computer)