A years-long flaw in the American Archive of Public Broadcasting (AAPB) website allowed users to download protected and private media files, with the vulnerability quietly patched earlier this month. The issue, discovered by an independent cybersecurity researcher, had been reportedly exploited since at least 2021 despite prior attempts to report it to the organization.
After being contacted about the flaw, AAPB confirmed the issue and fixed it within 48 hours. “We’re committed to protecting and preserving the archival material in the AAPB and have strengthened security for the archive,” said Emily Balk, AAPB’s Communications Manager, in a statement to BleepingComputer.
Vulnerability Exploited by Preservation Communities
The exploit, which circulated as a rumor after the leak of the rare Sesame Street “Wicked Witch of the West” episode on the Lost Media Wiki Discord, was eventually confirmed by preservationist groups. Despite Lost Media Wiki removing the episode and warning members that it was “likely obtained in an illegal data breach,” the proof-of-concept method spread across Discord servers by mid-2024, leading to more leaks of protected content.
Members of data hoarding communities, which focus on archiving software, TV shows, and other media, used the vulnerability to bypass AAPB’s access controls. The researcher shared a simple Tampermonkey script with BleepingComputer demonstrating the exploit. The flaw was an insecure direct object reference (IDOR), which allowed users to change media ID parameters in requests and retrieve files that should have been restricted.
Rather than rejecting these unauthorized requests with a “403 Forbidden” error, AAPB’s server returned the media files as long as the ID was valid. While AAPB has now patched the issue, the extent of accessed or shared content remains unknown.
Implications for Archives and Digital Preservation
The AAPB incident highlights how even nonprofit archives are at risk of vulnerabilities being exploited by communities with preservationist motives. Earlier this year, PBS suffered a separate breach that exposed employee contact data, which also spread through Discord servers dedicated to PBS Kids fans.
These cases reveal how archival content and personal data can end up in the hands of enthusiasts and data hoarders, sometimes without malicious intent, but still raising security and copyright concerns. Experts warn that institutions managing historically significant collections must adopt stricter access controls, continuous vulnerability testing, and robust monitoring to prevent future leaks.
