American Archive of Public Broadcasting website IDOR media access actively exploited security flaw
Vulnerability
Summary
Hide ▲
Show ▼
The American Archive of Public Broadcasting patched an IDOR flaw that let users download protected and private media by changing media IDs, with exploitation dating back to at least 2021. A proof-of-concept Tampermonkey script showed the abuse path and the flaw bypassed the archive's access controls. The fix was implemented within 48 hours after disclosure, reducing ongoing exposure of archived content.
Timeline
-
22.09.2025 23:25 2 articles · 8mo ago
AAPB website IDOR flaw exposed restricted media
Initial DisclosureA vulnerability in the American Archive of Public Broadcasting website let users download protected and private media by changing media ID parameters in access requests and bypassing background access controls, including tampered fetch or XMLHttpRequest calls that should have been rejected with 403 Forbidden. A researcher said the flaw had been exploited since at least 2021, and AAPB confirmed the issue and fixed it within 48 hours after disclosure; the exact amount of content accessed and shared remains unknown.
Show sources
- American Archive of Public Broadcasting fixes bug exposing restricted media — www.bleepingcomputer.com — 22.09.2025 23:25
- American Archive of Public Broadcasting fixes bug exposing restricted media — www.bleepingcomputer.com — 22.09.2025 23:25