A vulnerability in the American Archive of Public Broadcasting's website allowed downloading of protected and private media for years, with the flaw quietly patched this month.
BleepingComputer was tipped about the flaw by a cybersecurity researcher who asked to remain anonymous, stating that the flaw has been exploited since at least 2021, even after the researcher previously reported it to the organization.
After contacting AAPB about the flaw, a spokesperson confirmed the issue, and the researcher validated that the fix was implemented within 48 hours.
"We're committed to protecting and preserving the archival material in the AAPB and have strengthened security for the archive," stated AAPB's Communications Manager, Emily Balk, to BleepingComputer.
"We look forward to continuing to make public media history free and accessible to the public."
The American Archive, operated by WGBH Educational Foundation (GBH) and the Library of Congress, is a public nonprofit archive whose mission is to collect, digitize, and preserve historically significant content produced by public radio and television in the United States.
BleepingComputer was told that the AAPB vulnerability first circulated as a rumor in online discussions about the leak of the Sesame Street "Wicked Witch of the West" episode on the Lost Media Wiki Discord channel.
Lost Media Wiki took down the episode, saying that it was "likely obtained in an illegal data breach," urging members to refrain from re-sharing it on its Discord channel.
Initially secret, the exploit method began circulating in Discord preservation groups by mid-2024, leading to further leaks of protected content on Discord servers focused on content preservation.
Known as data hoarders, these communities dedicate themselves to archiving software, websites, operating systems, and various forms of media, including TV shows, music, and movies. However, they often operate in a gray area, where copyrighted content is preserved and shared, blurring the line with digital piracy.
... continue reading