American Archive of Public Broadcasting allowed access to restricted media for years

A security flaw in the American Archive of Public Broadcasting (AAPB) website allowed unauthorized access to protected and private media, according to BleepingComputer.

The American Archive of Public Broadcasting (AAPB) is a collaborative initiative between the Library of Congress and WGBH Educational Foundation, aimed at digitally preserving historically significant public radio and television programs from the past seven decades.

The archives encompass a wide array of materials: news and public affairs programs, local history productions, educational content, science, music, art, literature, environmental programming, and raw interviews from landmark documentaries. The digitized content contains millions of items, including unique, sometimes sensitive material documenting pivotal events, regional culture, and documentary evidence of America’s civil and artistic history.

Access without proper controls could facilitate copyright violations or the misuse of material critical for scholarship, public education, and future generations. And that’s what the discovered vulnerability provided.

Not only did this vulnerability go unnoticed for years, the researcher who discovered the hole found that active exploitation started as early as at least 2021, even after a previous report by the same researcher to AAPB. But when BleepingComputer reached out, AAPB managed to implement a fix within 48 hours. And the researcher was able to confirm it worked.

AAPB’s Communications Manager, Emily Balk told BleepingComputer:

“We’re committed to protecting and preserving the archival material in the AAPB and have strengthened security for the archive.”

On Discord the exploit method began circulating halfway through 2024, but even before that exploit, a simple script allowed users to request media files by ID and bypass AAPB’s access controls. This method worked even if the requested media files fell into protected or private categories. As long as the request had a valid media ID, it was possible to download the content.

Apparently there are data-hoarder communities that do not care about copyright, which abused and shared the method for many years. The main impact was the unauthorized access and sharing of archival media, some of which was not intended for public release. This is an institutional and copyright issue.

However, users should:

• Avoid sharing or downloading protected or leaked content, as you could be in a legal gray area.
• Be wary of unofficial sources circulating rare or unpublished public broadcasting material.
• Anticipate there might be phishing emails coming based on this breach. As with other news events, phishers will use them as clickbait.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.