Johnson & Johnson Web Apps Exposed to Unauthorized Access via Authentication Flaws

A cybersecurity researcher named Eaton disclosed vulnerabilities in Johnson & Johnson's web applications affecting their Campus Recruiting platform and Audit Tracking Management System (ATMS). The flaws allowed unauthorized access to sensitive data, including personal information of nearly 1,000 students and records of approximately 13,600 employees. The vulnerabilities stemmed from improper authentication enforcement, where the frontend relied on Microsoft's Authentication Library (MSAL) without backend validation. Instead of using the MSAL token, the APIs accepted requests authenticated by a hardcoded API key. Following the disclosure, J&J updated their systems to replace API key authentication with Bearer token validation. The incident highlights significant lapses in security practices within J&J's web applications.

Key Points: • Eaton discovered critical authentication flaws in J&J's web apps, exposing sensitive data. • The vulnerabilities affected both the Campus Recruiting platform and the Audit Tracking Management System. • J&J has since updated its security measures to prevent unauthorized access through API key authentication.