Security
Inside the Building Permit Portal of America’s Largest City
While trying to understand whether a venue renovation would pass inspection, I discovered a major access control flaw in a municipal building portal.
Michael Cummings
September 14, 2025 · 3 min read
Earlier this year I went down a bit of a rabbit hole.
It started with a music venue.
The Situation
A major electronic music venue in Brooklyn had been undergoing renovations and inspections for months. There were rumors circulating about delayed approvals, failed inspections, and uncertainty about reopening.
If you’ve ever tried to get tickets there, you know the drill — huge lines, sold-out shows, and massive anticipation around reopening.
I got curious about the inspection process and started digging into the public building permit portal that cities use to publish construction filings and inspection records.
These systems are designed to make certain information public: permits, approvals, inspection outcomes, and filings.
But what I found went *far* beyond that.
Discovering the Access Issue
While browsing the portal I noticed that many documents were fetched through predictable URLs. After inspecting the request patterns, it became clear the system relied heavily on sequential document IDs.
Changing those IDs in requests returned different files.
At first I assumed I was just seeing other public filings.
But very quickly it became clear that the system was returning **far more than intended**.
Things like:
And not just for one building.
For **every building in the city**.
Testing the Scope
To confirm this wasn’t limited to the venue renovation, I tried querying a few well-known buildings.
The same access pattern worked.
The portal returned full document packages including structural plans, inspection reports, and filing histories.
This was clearly not intended to be publicly accessible.
Responsible Disclosure
At this point I stopped further exploration and reported the issue through the city’s bug bounty program.
I provided:
Because the issue still hasn’t been fully resolved, I’m intentionally avoiding publishing technical details or naming the specific system.
Why This Matters
Municipal software often sits in a strange place between public transparency and sensitive infrastructure.
Building plans can contain:
Access control mistakes in systems like this can expose massive amounts of data unintentionally.
The Original Motivation
Ironically, this entire investigation started because I just wanted to know one thing:
Would the venue pass inspection?
Now months later the story has taken a few more twists — including the venue’s operator filing for bankruptcy — but that’s a story for another time.
Sometimes curiosity leads you down unexpected paths.
