Article Details

Defense Dept didn't protect social media accounts, left stream keys out in public. 'The practice… has since been fixed,' Pentagon official tells The Reg The US Department of Defense, up until this week, routinely left its social media accounts wide open to hijackers via stream keys - unique, confidential identifiers generated by streaming platforms for broadcasting content. If exposed, these keys can allow attackers to output anything they want from someone else's channel. This was revealed by The Intercept's most recent investigation, published on Monday, which found that the Pentagon for years posted stream keys on its Defense Visual Information Distribution Service (DVIDS) website. According to the department, this security hole has since been closed. "The practice of uploading stream keys publicly on DVIDS has since been fixed," a Defense Department official told The Register. "New stream keys have been implemented and will no longer be shared the old way. Any remaining cached info that would show stream keys would be old and out of date." The DVIDS website is open to the public and doesn't require an account to browse, and it hosts military and administration videos, along with a schedule of upcoming webcasts. Up until this week, it also exposed some stream keys to its Facebook, YouTube, and X channels, leaving its livestreams open to account takeovers: For example, Twitter stream keys were posted for the U.S. Cyber Command change of command ceremony live stream in 2018. X and YouTube keys were also posted for last year's West Point commencement ceremony. More recently, the stream keys for the department's X, YouTube, and Facebook accounts were posted in the hours leading up to a livestream of Defense Secretary Pete Hegseth giving burgers to the National Guard in Washington, D.C. in August.   These keys weren't hard to find, we're told, and could be seen by browsing the portal's sequentially-numbered webcast URLs, or Googling "stream key" and "DVIDS." They also aren't supposed to be made public. Google calls them "your YouTube stream's password and address," and Facebook warns: "Don't share your stream key. Anyone who has access to it can stream video from your page." To be fair to the current administration, this security oversight appears to have started before Trump 2.0 took office. But considering the Pentagon security snafus that have happened under Defense Secretary Pete Hegseth's watch, including using China-based employees to support Microsoft Azure cloud services deployed by the DoD (this practice just ended late last month), and - lest we forget - Signalgate, it seems to be par for the course.