A vulnerability in the American Archive of Public Broadcasting (AAPB) website an insecure direct object reference (IDOR) flaw allowed unauthorized users to bypass access controls and download protected and private media files for years, dating back to at least 2021. The exploit, shared via a Tampermonkey script, enabled attackers to manipulate media ID parameters in requests, granting access to restricted content without proper authentication. The flaw was actively exploited by data hoarder communities on Discord, leading to leaks of archival material, including copyrighted and historically significant media (e.g., the *Sesame Street* 'Wicked Witch of the West' episode). While the vulnerability was patched in 2024, the extent of the leaked content remains unknown. The incident highlights risks posed by archival and fan communities exploiting technical flaws to access sensitive material, even without overtly malicious intent. The AAPB, a nonprofit collaboration between WGBH Educational Foundation and the Library of Congress, emphasized its commitment to security but faced challenges in containing the spread of the exploit and leaked files.
TPRM report: https://www.rankiteo.com/company/american-archive-of-public-broadcasting
"id": "ame3002230092325",
"linkid": "american-archive-of-public-broadcasting",
"type": "Vulnerability",
"date": "6/2021",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'industry': ['Media',
'Public Broadcasting',
'Archival Services'],
'location': 'United States',
'name': 'American Archive of Public Broadcasting '
'(AAPB)',
'type': 'Nonprofit Archive'},
{'industry': ['Education', 'Broadcasting'],
'location': 'Boston, Massachusetts, USA',
'name': 'WGBH Educational Foundation (GBH)',
'type': 'Public Media Organization'},
{'industry': ['Archival Services', 'Public Records'],
'location': 'Washington, D.C., USA',
'name': 'Library of Congress',
'type': 'Government Library'},
{'industry': 'Media Preservation',
'location': 'Online (Discord-based)',
'name': 'Lost Media Wiki',
'type': 'Online Community'}],
'attack_vector': ['Web Application Exploit',
'Tampering with API Requests (fetch/XMLHttpRequest)',
'Insecure Direct Object Reference (IDOR)'],
'customer_advisories': ['AAPB Public Statement on Strengthened Security'],
'data_breach': {'data_exfiltration': 'Yes (Content Shared in Data Hoarder '
'Communities)',
'file_types_exposed': ['Video Files',
'Audio Files',
'Media Metadata'],
'sensitivity_of_data': 'Moderate (Copyrighted and Private '
'Archival Content)',
'type_of_data_compromised': ['Protected Media Files',
'Private Archival Content',
'Copyrighted Television '
'Episodes']},
'date_publicly_disclosed': '2024-07',
'date_resolved': '2024-07',
'description': 'A vulnerability in the American Archive of Public '
"Broadcasting's (AAPB) website allowed unauthorized "
'downloading of protected and private media for years. The '
'flaw, an insecure direct object reference (IDOR), enabled '
'attackers to bypass access controls by tampering with media '
'ID parameters in fetch or XMLHttpRequest calls. The '
'vulnerability was exploited since at least 2021 and was '
'quietly patched in mid-2024 after being reported by an '
'anonymous researcher. The exploit circulated in online '
'preservation communities (e.g., Lost Media Wiki Discord), '
'leading to leaks of protected content, including the Sesame '
"Street 'Wicked Witch of the West' episode. AAPB confirmed the "
'issue and implemented a fix within 48 hours of notification.',
'impact': {'brand_reputation_impact': 'Moderate (Associated with Unauthorized '
'Leaks and Piracy)',
'data_compromised': ['Protected Media Files',
'Private Archival Content',
"Sesame Street 'Wicked Witch of the West' "
'Episode'],
'legal_liabilities': ['Potential Copyright Infringement Claims',
'Violation of Access Controls'],
'operational_impact': ['Takedown Efforts for Leaked Content',
'Reputation Risk Due to Unauthorized '
'Access'],
'systems_affected': ['AAPB Website', 'Media Access API Endpoints']},
'initial_access_broker': {'entry_point': 'Insecure Direct Object Reference '
'(IDOR) in Media Access API',
'high_value_targets': ['Protected Media Files',
'Rare Archival Content '
'(e.g., Sesame Street '
'Episodes)'],
'reconnaissance_period': 'Since at least 2021 '
'(Exploit Circulated by '
'Mid-2024)'},
'investigation_status': 'Resolved (Vulnerability Patched)',
'lessons_learned': ['Importance of Server-Side Validation for Direct Object '
'References',
'Risks of Gray-Area Preservation Communities Exploiting '
'Vulnerabilities',
'Need for Proactive Monitoring of Online Discussions for '
'Exploit Rumors'],
'motivation': ['Data Preservation (non-malicious but unauthorized)',
'Content Archiving',
'Gray-Area Piracy'],
'post_incident_analysis': {'corrective_actions': ['Patched IDOR Vulnerability '
'in Media Endpoints',
'Enhanced Access Control '
'Mechanisms',
'Public Communication on '
'Security Improvements'],
'root_causes': ['Lack of Server-Side Validation '
'for Media ID Parameters',
'Insufficient Access Controls for '
'Protected Content',
'Delayed Response to Initial '
'Vulnerability Report (2021)']},
'recommendations': ['Implement Robust Access Controls for Media Endpoints',
'Conduct Regular Security Audits for IDOR Vulnerabilities',
'Monitor Online Communities for Signs of Exploit Sharing',
'Educate Staff on Secure Coding Practices for API '
'Endpoints'],
'references': [{'date_accessed': '2024-07',
'source': 'BleepingComputer',
'url': 'https://www.bleepingcomputer.com'},
{'date_accessed': '2024', 'source': 'Lost Media Wiki Discord'}],
'regulatory_compliance': {'regulations_violated': ['Potential Copyright Law '
'Violations (DMCA)',
'Unauthorized Access '
'Laws']},
'response': {'communication_strategy': ['Public Statement by AAPB '
'Communications Manager (Emily Balk)',
'Confirmation of Fix to '
'BleepingComputer'],
'containment_measures': ['Patching IDOR Vulnerability',
'Takedown Requests for Leaked Content'],
'incident_response_plan_activated': 'Yes (Fix implemented within '
'48 hours of notification)',
'remediation_measures': ['Strengthened Access Controls for Media '
'Endpoints',
'Server-Side Validation of Media ID '
'Requests']},
'threat_actor': ['Anonymous Cybersecurity Researcher (reporter)',
'Data Hoarder Communities (exploiters)',
'Discord Preservation Groups'],
'title': 'Insecure Direct Object Reference (IDOR) Vulnerability in American '
'Archive of Public Broadcasting (AAPB) Website',
'type': ['Data Breach',
'Unauthorized Access',
'Insecure Direct Object Reference (IDOR)'],
'vulnerability_exploited': 'Insecure Direct Object Reference (IDOR) in media '
'access endpoints (/media/{ID})'}