GoKawiilExploiting vulnerabilities in Johnson & Johnson web apps
Eaton • Jun 24, 2026
Copy Link Share
Today I am revealing vulnerabilities I found in 2 very different Johnson & Johnson web apps. One is a vulnerability in a college campus recruiting system that exposed details of nearly 1,000 students, and the other is an admin takeover of an internal audit system used by 20 companies. Let’s dive in!
#1: Campus Recruiting
You know those career fairs and recruiting events on college campuses? JnJ likes to go to these to scout new talent. They built a “Campus Recruiting” website to manage these events:
Students are given an event key and they use it to submit their information:
Nothing particularly exciting… until you look at the underlying code of the website, where you can find some interesting private recruiter routes!
When you go to “/recruiter”, you are sent to the Microsoft SSO login page, confirming this part of the site is restricted to JnJ employees:
The authentication setup is really simple. The Microsoft Authentication Library (MSAL) is integrated into the frontend and it is in charge of making sure an employee is logged in:
... continue reading