I hacked Monster Energy
14 hours ago
- #Corporate Negligence
- #Data Exposure
- #Cybersecurity
- Monster Energy's corporate infrastructure was found to be completely exposed with poor security decisions.
- Monster University (mu.monsterenergy.com) had a flawed authentication system where changing '/login' to '/register' in the URL bypassed security.
- The registration form was non-functional, but the API endpoint was easily accessible, allowing full access to Monster University's training materials.
- Monster Energy's brand training included stereotypical and questionable profiling of their core consumers.
- Monster University hosted a cybersecurity course on an unsecured platform, highlighting the irony of their poor security practices.
- Corporate culture details were exposed, including Zoom meeting schedules and an internal rewards system called 'Beast Bux.'
- An OpenText API was found completely exposed, allowing access to Monster's entire file system without authentication.
- A ClickUp integration mistake exposed an admin's private account token, granting potential access to all private documents and projects.
- Monster Energy did not respond to vulnerability reports, and the OpenText API remained active as of the writing of the article.