The newly renamed Department of War has publicly posted the stream keys of its Facebook, X, and YouTube channels for years, potentially allowing hackers to hijack its official social media accounts and broadcast whatever they want.

A stream key is like an account password for livestreaming content on social media. Before a stream goes live on a user’s social media account, they must input a stream key into their broadcast software of choice.

Google, which owns YouTube, describes stream keys as being akin to “your YouTube stream’s password and address.” Facebook tells streamers “Don’t share your stream key. Anyone who has access to it can stream video from your page.”

The Department of War, however, routinely posts stream keys on its Defense Visual Information Distribution Service (DVIDS) website, a portal hosting military videos and photos for media usage. The website is open to the public and doesn’t require an account to browse – or to come across stream keys.

An Intercept analysis found that the Department of War has publicly posted stream keys on this service for years. The stream keys are typically posted prior to upcoming scheduled streams. For example, Twitter stream keys were posted for the U.S. Cyber Command change of command ceremony live stream in 2018. X and YouTube keys were also posted for last year’s West Point commencement ceremony. More recently, the stream keys for the department’s X, YouTube, and Facebook accounts were posted in the hours leading up to a livestream of Defense Secretary Pete Hegseth giving burgers to the the National Guard in Washington, D.C. in August.  

They aren’t hard to find. The stream key posted on the DVIDS site can be seen by browsing the portal’s sequentially-numbered webcast URLs, or querying search engines for terms such as “stream key” and “DVIDS.” At times the Department of War uses stream keys that expire after each stream, allowing the takeover of one specific upcoming event but preventing persistent unauthorized access. Sometimes, however, the Department of War leaves stream keys unchanged for years, allowing for the takeover of upcoming streams on various social media platforms even if the stream keys for a specific event aren’t posted for that event.

This vulnerability wouldn’t allow attackers to take over social media feeds at any time. A hacker would need to wait for an upcoming Department of War webcast and then use the keys to start broadcasting their own content. The Pentagon maintains a public schedule of upcoming webcasts on their DVIDS site.

Stream keys are not made public for all Department of War streams. For instance, the keys were not publicly disclosed on September 5 for the livestream of President Trump signing an executive order rebranding the Department of Defense as the Department of War.

The Department of War did not respond to multiple requests for comment.

The Intercept has found no evidence that stream keys have been exploited to take over a Department of War stream. But past security incidents show the danger of such vulnerabilities. Imposters, for instance, have used artificial intelligence tools to impersonate politicians, including mimicking Secretary of State Marco Rubio’s voice to contact various U.S. politicians and foreign ministers. If this kind of deceptive content appeared on official government channels, even briefly, the consequences could be significant, warned security technologist Bruce Schneier. “You can imagine this being used for some kind of confusion event,” he cautioned.

AI-based hoaxes can have wide-ranging implications. In 2023, for example, a fake image of smoke coming from a building near the Pentagon caused a dip in the stock market. The Department of War is no stranger to security lapses, including discussing a bombing campaign in Yemen on Signal with journalists earlier this year.

Exposing stream keys “doesn’t rise to the level of putting strangers on your Signal chat,” Schneier said, but he considers it a sloppy practice that should be fixed immediately.

Cooper Quintin, Senior Staff Technologist at the Electronic Frontier Foundation, said that the “concern here is less that an adversary would spread disinformation — our own federal government is doing plenty of that already.”

The bigger risk, Quintin said, is that the vulnerability could be used to discredit real footage. “This could be used to lend plausible deniability to any legitimate videos that got posted to that account.”

In other words, the government could use this as justification to erase any official stream – say an embarrassing press conference or a hot mic moment – by claiming it was manipulated content posted by a hacker, not a video posted by the Department of War itself.