Exploiting vulnerabilities in Johnson and Johnson web apps
7 hours ago
- #vulnerability-disclosure
- #Johnson-Johnson
- #web-security
- Vulnerabilities in two Johnson & Johnson web apps were disclosed: a campus recruiting system and an internal audit tracking management system.
- The campus recruiting system exposed nearly 1,000 students' details due to an API key authentication flaw, later fixed by implementing MSAL Bearer tokens.
- The audit tracking management system allowed admin takeover via unauthenticated APIs, compromising data across 20 associated companies.
- Exploits involved bypassing MSAL authentication by spoofing user sessions and manipulating client-side code to gain unauthorized access.
- Reporting timeline showed delays, with the campus recruiting issue resolved quickly, but the audit system required journalist intervention for a fix.