Inside the Building Permit Portal of America’s Largest City

Earlier this year I went down a bit of a rabbit hole.

It started with a music venue.

The Situation

A major electronic music venue in Brooklyn had been undergoing renovations and inspections for months. There were rumors circulating about delayed approvals, failed inspections, and uncertainty about reopening.

If you’ve ever tried to get tickets there, you know the drill — huge lines, sold-out shows, and massive anticipation around reopening.

I got curious about the inspection process and started digging into the public building permit portal that cities use to publish construction filings and inspection records.

These systems are designed to make certain information public: permits, approvals, inspection outcomes, and filings.

But what I found went far beyond that.

Discovering the Access Issue

While browsing the portal I noticed that many documents were fetched through predictable URLs. After inspecting the request patterns, it became clear the system relied heavily on sequential document IDs.

Changing those IDs in requests returned different files.

At first I assumed I was just seeing other public filings.

But very quickly it became clear that the system was returning far more than intended.

Things like:

• full architectural plan sets
• structural drawings
• inspection reports
• internal review documents

And not just for one building.

For every building in the city.

Testing the Scope

To confirm this wasn’t limited to the venue renovation, I tried querying a few well-known buildings.

The same access pattern worked.

The portal returned full document packages including structural plans, inspection reports, and filing histories.

This was clearly not intended to be publicly accessible.

Responsible Disclosure

At this point I stopped further exploration and reported the issue through the city’s bug bounty program.

I provided:

• the endpoint responsible
• reproduction steps
• examples of exposed documents
• recommendations for fixing the access control

Because the issue still hasn’t been fully resolved, I’m intentionally avoiding publishing technical details or naming the specific system.

Why This Matters

Municipal software often sits in a strange place between public transparency and sensitive infrastructure.

Building plans can contain:

• structural layouts
• security system locations
• emergency infrastructure
• engineering calculations

Access control mistakes in systems like this can expose massive amounts of data unintentionally.

The Original Motivation

Ironically, this entire investigation started because I just wanted to know one thing:

Would the venue pass inspection?

Now months later the story has taken a few more twists — including the venue’s operator filing for bankruptcy — but that’s a story for another time.

Sometimes curiosity leads you down unexpected paths.