The US Department of Defense (DoD) exposed confidential **stream keys**—unique identifiers used for broadcasting on social media platforms like Facebook, YouTube, and X (Twitter)—on its public **Defense Visual Information Distribution Service (DVIDS)** website for years. These keys, if obtained by attackers, could allow unauthorized hijacking of official DoD livestreams, enabling malicious actors to broadcast fake or harmful content under the guise of the Pentagon. The vulnerability was discovered by *The Intercept*, which found that keys for high-profile events—such as the **2018 US Cyber Command change of command ceremony**, **2023 West Point commencement**, and a **2024 National Guard event with Defense Secretary Pete Hegseth**—were publicly accessible via simple URL sequencing or search queries.While the DoD claims the issue has been resolved by revoking old keys and restricting future exposure, the oversight highlights systemic security lapses under current leadership, compounded by prior controversies like **Signalgate** and the use of **China-based employees for Azure cloud support**. The exposure risks **disinformation campaigns**, **reputational damage**, and **potential exploitation by adversarial nation-states**, though no confirmed breaches occurred. The incident underscores persistent vulnerabilities in handling sensitive credentials within a critical government agency.
Source: https://www.theregister.com/2025/09/09/us_dod_exposed_keys/
TPRM report: https://www.rankiteo.com/company/deptofdefense
"id": "dep0792107090925",
"linkid": "deptofdefense",
"type": "Vulnerability",
"date": "6/2018",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'industry': 'Defense/Military',
'location': 'United States',
'name': 'U.S. Department of Defense (DoD)',
'type': 'Government Agency'},
{'industry': 'Defense/Military',
'location': 'United States',
'name': 'Defense Visual Information Distribution '
'Service (DVIDS)',
'type': 'Military Media Portal'},
{'industry': 'Defense/Cybersecurity',
'location': 'United States',
'name': 'U.S. Cyber Command',
'type': 'Military Subcommand'},
{'industry': 'Defense/Education',
'location': 'United States',
'name': 'West Point (U.S. Military Academy)',
'type': 'Educational Institution'}],
'attack_vector': ['Publicly Accessible Stream Keys',
'Improper Access Controls',
'Web Portal Misconfiguration'],
'data_breach': {'sensitivity_of_data': 'High (Confidential Broadcast Access)',
'type_of_data_compromised': ['Stream Keys (Broadcast '
'Credentials)']},
'date_publicly_disclosed': '2024-09-02',
'date_resolved': '2024-09-02',
'description': 'The US Department of Defense (DoD) routinely left its social '
'media accounts (Facebook, YouTube, X/Twitter) vulnerable to '
'hijacking by publicly exposing stream keys—unique, '
'confidential identifiers used for broadcasting content—on its '
'Defense Visual Information Distribution Service (DVIDS) '
'website. These keys, if obtained by attackers, could allow '
'unauthorized parties to broadcast malicious or fraudulent '
"content via the DoD's official channels. The issue was "
'discovered by *The Intercept* and spanned multiple years, '
'affecting high-profile events such as the U.S. Cyber Command '
'change of command ceremony (2018), West Point commencement '
'(2023), and a National Guard event in August 2024. The DoD '
'confirmed the vulnerability has since been remediated by '
'ceasing the public upload of stream keys and implementing new '
'keys.',
'impact': {'brand_reputation_impact': ['Potential Erosion of Public Trust',
'Perception of Lax Cybersecurity '
'Practices'],
'data_compromised': ['Stream Keys (Confidential Broadcast '
'Identifiers)'],
'operational_impact': ['Risk of Unauthorized Livestream Hijacking',
'Potential for Misinformation or Malicious '
'Broadcasts'],
'systems_affected': ['DVIDS Website',
'DoD Social Media Accounts (YouTube, '
'Facebook, X/Twitter)']},
'investigation_status': 'Resolved (Vulnerability Remediated)',
'lessons_learned': ['Public-facing portals must enforce strict access '
'controls for sensitive credentials.',
'Stream keys and similar broadcast identifiers should be '
'treated as highly confidential.',
'Regular audits of public websites for exposed '
'credentials are critical, especially for high-profile '
'organizations.',
'Sequential or predictable URL structures can exacerbate '
'exposure risks.'],
'post_incident_analysis': {'corrective_actions': ['Ceased public upload of '
'stream keys on DVIDS.',
'Generated and deployed new '
'stream keys across all '
'platforms.',
'Updated internal policies '
'for handling broadcast '
'credentials.',
'Likely implemented '
'technical controls to '
'prevent future exposures '
'(e.g., redaction, access '
'restrictions).'],
'root_causes': ['Lack of access controls on DVIDS '
'portal (publicly browsable '
'without authentication).',
'Improper handling of sensitive '
'stream keys (treated as '
'non-confidential).',
'Predictable URL structure '
'enabling enumeration of webcast '
'pages.',
'Inadequate oversight of '
'third-party platform integrations '
'(YouTube, Facebook, X).']},
'recommendations': ['Implement multi-factor authentication (MFA) for '
'accessing media distribution portals.',
'Conduct periodic red-team exercises to identify publicly '
'exposed credentials.',
'Enforce automated scanning for sensitive data (e.g., API '
'keys, stream keys) in public repositories.',
'Provide cybersecurity training for personnel managing '
'public-facing media platforms.',
'Adopt zero-trust principles for third-party integrations '
'(e.g., social media APIs).'],
'references': [{'date_accessed': '2024-09-02', 'source': 'The Intercept'},
{'date_accessed': '2024-09-02', 'source': 'The Register'}],
'response': {'communication_strategy': ['Public Statement to *The Register*',
'Acknowledgment of Fix'],
'containment_measures': ['Removal of Publicly Exposed Stream '
'Keys',
'Discontinuation of Old Key-Sharing '
'Practices'],
'incident_response_plan_activated': True,
'remediation_measures': ['Generation of New Stream Keys',
'Updated Key Distribution Protocol']},
'title': 'US Department of Defense Social Media Stream Key Exposure',
'type': ['Data Exposure', 'Account Hijacking Risk', 'Misconfiguration'],
'vulnerability_exploited': ['Exposed Stream Keys (YouTube, Facebook, '
'X/Twitter)',
'Sequentially Numbered Webcast URLs',
'Lack of Authentication for DVIDS Portal']}