June 24, 2026
SSO? More like SO easy
Exploiting vulnerabilities in Johnson and Johnson web apps
Johnson & Johnson’s hiring and audit sites were left wide open, and commenters are stunned
TLDR: A researcher says two Johnson & Johnson web systems were so poorly protected that student records and a powerful internal admin view were exposed. Commenters were split between praising the unusually clear write-up and roasting the all-too-familiar corporate mistake of putting old internal tools on the open internet.
The big gasp in the comments wasn’t just that two Johnson & Johnson web tools could be walked into with shocking ease — it was that the whole mess sounded painfully familiar. One site, used for college recruiting, reportedly exposed details on nearly 1,000 students. The other, an internal audit system tied to around 20 companies, allegedly let the researcher pose as an administrator and peek behind the curtain. For non-experts: this wasn’t movie-hacker magic. The article describes doors that looked locked from the front, while key parts around back were barely protected at all.
And the crowd? Equal parts impressed, annoyed, and darkly amused. One of the strongest reactions was praise for the write-up itself: commenters loved that it was calm, detailed, and not written like a superhero origin story. In a rare internet miracle, people were saying the reporting was more satisfying because it wasn’t screaming. Another hot take cut deeper: one commenter basically said this had the vibe of an old office system shoved onto the public internet by a team that didn’t understand what changes when the whole world can see your app. Ouch.
There was also a little comment-thread comedy, including a completely random clarification that this wasn’t that Eaton — the one known for power gear and even golf club grips — which only added to the wonderfully chaotic energy. The overall mood was a mix of “great research, terrifying security, and how does this keep happening?”
Key Points
- •The article describes a vulnerability in Johnson & Johnson's Campus Recruiting web app that reportedly exposed information on nearly 1,000 students.
- •According to the article, the Campus Recruiting recruiter interface relied on client-side MSAL logic while backend AWS APIs used a hardcoded API key instead of enforcing token authorization.
- •The article states that Johnson & Johnson updated the Campus Recruiting site to replace API key authentication with Bearer token authentication tied to MSAL.
- •The article describes an administrator takeover of the internal Audit Tracking Management System by spoofing client-side login state and obtaining a session GUID from an API.
- •ATMS was described as being used across Johnson & Johnson and approximately 20 associated companies, with access to confidential audit-related information and transcripts.