Inside the Building Permit Portal of America’s Largest City
While trying to understand whether a venue renovation would pass inspection, I discovered a major access control flaw in a municipal building portal.
Michael Cummings
September 14, 2025 · 3 min read
Earlier this year I went down a bit of a rabbit hole.
It started with a music venue.
The Situation
A major electronic music venue in Brooklyn had been undergoing renovations and inspections for months. There were rumors circulating about delayed approvals, failed inspections, and uncertainty about reopening.
At the time, there was a lot of speculation about whether the venue would pass its inspections and reopen on schedule. I got curious about how the inspection process worked and started exploring the city's public building permit portal.
These portals exist to provide transparency into construction activity. You can typically see things like:
- permit filings
- inspection results
- contractor information
- approval history
But they also host a large number of documents associated with each job filing.
Discovering the Access Issue
While browsing through a few filings, I noticed something odd.
Some documents were clearly intended to be public and downloadable. Others appeared in the interface but displayed an “unauthorized” message unless you were a stakeholder on the project.
Naturally, I assumed those documents were protected properly.
But while inspecting how the portal handled document downloads, I discovered that the backend wasn’t consistently enforcing the same permissions that the interface was displaying.
In other words:
The UI said “you can’t access this document”, but the server would still return it under certain conditions.
Once I realized this, it became clear that the problem was much larger than a single project.
Testing the Scope
To confirm whether this was isolated or systemic, I tested the same behavior on a few other filings.
It worked.
Then I tried different buildings.
It still worked.
Eventually it became clear that the issue potentially affected documents across the entire system — including architectural plans, sketches, and internal filing documents for buildings all over the city.
Responsible Disclosure
Instead of digging deeper, I documented the issue and reported it through the city's bug bounty program.
My report included:
- a clear explanation of the authorization issue
- steps to reproduce the problem
- examples of documents that could be accessed unintentionally
- recommendations for fixing the backend permission checks
Because the vulnerability involves access control in a live municipal system, I’m intentionally leaving out specific technical details until it is fully resolved.
Why This Matters
Municipal permitting systems sit at an interesting intersection of public transparency and sensitive infrastructure.
Some information should absolutely be public.
But detailed construction documents can include things like:
- full architectural plans
- structural layouts
- building systems diagrams
- engineering calculations
If access controls are implemented incorrectly, systems like this can unintentionally expose far more information than intended.
The Original Motivation
Ironically, this entire investigation started because I just wanted to answer one simple question:
Would the venue pass inspection and reopen?
What began as curiosity about a nightclub renovation ended up uncovering a much larger issue in the city’s permitting software.
Sometimes pulling on a small thread leads somewhere unexpected.
(And in this case, somewhere I definitely wasn't planning to go.)
