I bypassed AWS API Gateway auth with a trailing slash. Got $12K bounty

A security researcher says they found a wildly simple bug: one extra / at the end of a web address turned a locked door into an open one. A normal visit to the accounts page got a 401 Unauthorized error, meaning “nope, you’re not allowed in.” Add a trailing slash, and suddenly the system handed over account data anyway. Even worse, the same trick reportedly worked on money transfers, where a one-cent test payment went through without a valid login. The company fixed it fast and paid $12,000, which sent the comments straight into debate mode.

And wow, the peanut gallery had thoughts. The biggest crowd-pleaser was pure comedy: “$1 removing the slash, $11,999 knowing where to remove the slash from” became the instant winner for explaining why bug bounties can look silly until you realize how hard the discovery really is. Others used the story to dunk on modern software complexity, with one commenter basically saying today’s systems are so tangled that a tiny matching rule can blow up your whole security plan. That was the serious camp.

But of course, this being the internet, there was also snark. One critic grumbled that the headline was too clicky, the write-up too vague, and even took a random swipe at the site hosting. Another commenter went straight for the throat with a jab about AI-written security posts, while a third delivered the cleanest roast of all: “Don’t vibe code your auth path folks.” Translation for normal humans: don’t lazily stitch together your login checks and hope for the best. The result is a perfect tech-drama cocktail: scary bug, easy fix, big payout, and a comment section split between “genius find” and “what a mess.”