Insecure Direct Object Reference Exploit in American Archive of Public Broadcasting
Summary
Hide ▲
Show ▼
A vulnerability in the American Archive of Public Broadcasting's website allowed unauthorized access and downloading of protected and private media files since at least 2021. The flaw, an insecure direct object reference (IDOR) bug, was exploited to bypass access controls and retrieve restricted content. The issue was fixed in September 2025. The American Archive of Public Broadcasting (AAPB) is a collaborative project between the Library of Congress and WGBH Educational Foundation. The vulnerability was first reported by an anonymous cybersecurity researcher and was exploited by data hoarder communities, leading to the unauthorized sharing of media on platforms like Discord. The exploit was facilitated through a simple Tampermonkey script that manipulated media access requests, bypassing the archive's access controls.
Timeline
-
22.09.2025 23:25 1 articles · 6d ago
IDOR vulnerability in American Archive of Public Broadcasting exploited since 2021
A vulnerability in the American Archive of Public Broadcasting's website allowed unauthorized access and downloading of protected and private media files since at least 2021. The flaw, an insecure direct object reference (IDOR) bug, was exploited to bypass access controls and retrieve restricted content. The issue was fixed in September 2025. The exploit was facilitated through a simple Tampermonkey script that manipulated media access requests, bypassing the archive's access controls. The vulnerability was first reported by an anonymous cybersecurity researcher and was exploited by data hoarder communities, leading to the unauthorized sharing of media on platforms like Discord.
Show sources
- American Archive of Public Broadcasting fixes bug exposing restricted media — www.bleepingcomputer.com — 22.09.2025 23:25
Information Snippets
-
The vulnerability was an insecure direct object reference (IDOR) flaw.
First reported: 22.09.2025 23:251 source, 1 articleShow sources
- American Archive of Public Broadcasting fixes bug exposing restricted media — www.bleepingcomputer.com — 22.09.2025 23:25
-
The exploit allowed users to change the media ID parameter in access requests, bypassing access controls.
First reported: 22.09.2025 23:251 source, 1 articleShow sources
- American Archive of Public Broadcasting fixes bug exposing restricted media — www.bleepingcomputer.com — 22.09.2025 23:25
-
The flaw was exploited since at least 2021, with the exploit method circulating in online discussions by mid-2024.
First reported: 22.09.2025 23:251 source, 1 articleShow sources
- American Archive of Public Broadcasting fixes bug exposing restricted media — www.bleepingcomputer.com — 22.09.2025 23:25
-
The bug was fixed in September 2025, within 48 hours of being reported to AAPB.
First reported: 22.09.2025 23:251 source, 1 articleShow sources
- American Archive of Public Broadcasting fixes bug exposing restricted media — www.bleepingcomputer.com — 22.09.2025 23:25
-
The exploit was shared as a Tampermonkey script, demonstrating the ease of abuse.
First reported: 22.09.2025 23:251 source, 1 articleShow sources
- American Archive of Public Broadcasting fixes bug exposing restricted media — www.bleepingcomputer.com — 22.09.2025 23:25
-
The vulnerability was first reported by an anonymous cybersecurity researcher.
First reported: 22.09.2025 23:251 source, 1 articleShow sources
- American Archive of Public Broadcasting fixes bug exposing restricted media — www.bleepingcomputer.com — 22.09.2025 23:25
-
The exploit was used by data hoarder communities to share restricted media on platforms like Discord.
First reported: 22.09.2025 23:251 source, 1 articleShow sources
- American Archive of Public Broadcasting fixes bug exposing restricted media — www.bleepingcomputer.com — 22.09.2025 23:25
-
The AAPB is a public nonprofit archive operated by WGBH Educational Foundation and the Library of Congress.
First reported: 22.09.2025 23:251 source, 1 articleShow sources
- American Archive of Public Broadcasting fixes bug exposing restricted media — www.bleepingcomputer.com — 22.09.2025 23:25