Article URL: https://eaton-works.com/2026/06/24/jnj-webapp-hacks/ Comments URL: https://news.ycombinator.com/item?id=48662347 Points: 24 # Comments: 0

Today I am revealing vulnerabilities I found in 2 very different Johnson & Johnson web apps. One is a vulnerability in a college campus recruiting system that exposed details of nearly 1,000 students, and the other is an admin takeover of an internal audit system used by 20 companies. Let’s dive in! You know those career fairs and recruiting events on college campuses? JnJ likes to go to these to scout new talent. They built a “Campus Recruiting” website to manage these events: Nothing particularly exciting… until you look at the underlying code of the website, where you can find some interesting private recruiter routes! When you go to “/recruiter”, you are sent to the Microsoft SSO login page, confirming this part of the site is restricted to JnJ employees: The authentication setup is really simple. The Microsoft Authentication Library (MSAL) is integrated into the frontend and it is in charge of making sure an employee is logged in: One client-side trick that often helps me expose insecure web apps is to hack MSAL into always thinking someone is logged in. If there are underlying APIs that do not use the token correctly, this helps discover such issues quickly. In this case, all I had to do was modify the MSAL code to always return details of 1 account that is “logged in”: Once done, the private recruiter routes were accessible. You could manage the events, create new ones, and view all the students’ information. The recruiter dashboard also lets you see the ratings and notes they give to specific students they interview: What went wrong: the MSAL token was not actually used anywhere. Instead, a hardcoded API key was used to authenticate to their AWS APIs: