Source linked

J&J Left 13.6k Employee Records Accessible Via Unauthenticated APIs

eaton-works.com@deep_lion1 hour ago·Cybersecurity·2 comments

A researcher bypassed client-side MSAL checks in two J&J web apps, exposing student data and an internal audit system used by 20 subsidiaries.

johnson johnsoncampus recruitingaudit tracking management systemmsalapi securityvulnerability disclosure

Eaton found two J&J web apps with the same root cause: client-side authentication that any frontend hacker can bypass, exposing 13.6k employee records and nearly 1,000 student profiles.

Campus Recruiting: Hardcoded API Key Instead of Bearer Token

J&J's Campus Recruiting site let students enter an event key to submit their info. Behind the scenes, the private /recruiter routes used Microsoft Authentication Library (MSAL) on the frontend to restrict access. But Eaton discovered the MSAL token was never actually sent to the AWS APIs. Instead, a hardcoded API key authenticated every request.

Eaton hacked the MSAL client-side code to always return a logged-in account. That was it. No token validation on the server. Once past the fake login, the recruiter dashboard exposed ratings, notes, and personal details of nearly 1,000 students. J&J fixed this one within 25 days by switching to Bearer token authentication.

ATMS: Every API Unauthenticated, Including getUserAll

The Audit Tracking Management System (ATMS) looked tougher - Microsoft SSO redirect on page load. But the React app downloaded all the API endpoints before the redirect fired. Visiting /getAllUsers returned a list of 13,627 J&J employees with their WWIDs.

No server-side auth. None. Eaton found the system admin's name on a help page, cross-referenced it against the leaked user list, then hardcoded those credentials into local storage to bypass the login screen entirely. The only remaining gate was a session endpoint - a simple GET request that returned a valid session GUID. After plugging that in, Eaton had full admin access across 20 companies: LifeScan, Ethicon, Janssen, Biosense Webster, and more.

Seven Months and Press Pressure to Fix

Eaton reported both vulnerabilities in October 2025. Campus Recruiting was fixed by month-end. ATMS? No response for seven months despite follow-ups in November, December, and January. J&J only patched it after Eaton looped in a journalist who contacted J&J's media relations in April 2026.

The ATMS also shipped a client-side encryption scheme that does nothing - hardcoded keys baked into the JavaScript, posted publicly. For an audit system that never got its own audit, that irony writes itself.

What this means: Any company relying on frontend-only MSAL or SSO checks without verifying the token server-side is leaking data right now. J&J's own disclosure timeline proves that even responsible reporting can fail without external pressure.

Source: Exploiting vulnerabilities in Johnson & Johnson web apps
Domain: eaton-works.com

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
Global Takedown of Amadey and StealC Cuts Off Cybercrime Assembly Line

A coordinated operation targeting two unrelated malware platforms simultaneously blocked over $47 million in fraud and disrupted the supply chain for credential theft and ransomware.

Edgecution Extension Abuses Native Messaging to Drop Python Backdoor

A malicious Microsoft Edge extension escapes the browser sandbox using Chrome's Native Messaging protocol, deploying a Python 3.13.3 backdoor in a ransomware-linked attack.

HCP Vault Dedicated Cluster DR Enables Failover Drills Without a Regional Outage

Cluster-level failover and DR testing for HCP Vault Dedicated now available in public preview, letting teams rehearse incident response even when the primary region is healthy.

CAPTCHAs Have Failed for 20 Years - Agent Identity Is the Fix

Every CAPTCHA generation - distorted text, harder text, image grids - has been beaten by machines. Browserbase's answer: stop testing the user and verify the browser's identity instead.

Comments load interactively on the live page.