Someone hacked Johnson & Johnson's internal systems to teach it a lesson
A simple vulnerability can give access to highly confidential corporate data.
-
A cybersecurity researcher uncovered two authentication flaws in Johnson & Johnson web applications that exposed sensitive recruiter tools, employee records, and an internal audit management system.
-
Both vulnerabilities stemmed from improper backend authentication, allowing attackers to bypass Microsoft SSO by manipulating client-side code because the servers failed to verify user identity.
-
The flaws exposed highly sensitive data, including information on nearly 1,000 student applicants, approximately 13,600 employee records, and confidential audit data across about 20 J&J business units.
-
The researcher responsibly disclosed the vulnerabilities in October 2025, but while the recruiting platform was fixed quickly, the critical audit system remained vulnerable for six months until media involvement prompted remediation.
A cybersecurity researcher going by the name Eaton discovered and disclosed two vulnerabilities in J&J's web apps that allowed them access to recruiter tools, employee records, and even an internal audit management system used across dozens of J&J businesses.
The findings, disclosed this week, describe two separate vulnerabilities that affected a campus recruiting platform and the company's Audit Tracking Management System (ATMS).
According to Eaton, both systems slipped on the same mistake – authentication was largely enforced by the application's frontend, while backend systems failed to properly verify whether users were actually logged in.
Access to student recruitment data
The first disclosed vulnerability affected J&J's Campus Recruiting platform, which the pharmaceutical giant uses to manage university hiring events.
Students attending recruiting fairs receive event keys to submit resumes and personal information. Recruiters, meanwhile, access a separate portal protected by Microsoft's single sign-on (SSO).
At least, that's how it was supposed to work. While examining the site's JavaScript, Eaton discovered that simply modifying Microsoft's Authentication Library (MSAL) to always report a user as "logged in" unlocked the recruiter interface.
Once inside, he could create recruiting events, manage applicants, and browse information on nearly 1,000 students, including recruiter notes and interview ratings.
The real problem, according to Eaton, wasn't Microsoft's authentication system. It was that the backend wasn't actually using it.
Instead of validating Microsoft's authentication token, the application's APIs accepted requests authenticated with a hardcoded API key embedded in the frontend.
"The MSAL token was not actually used anywhere," Eaton wrote.
"Instead, a hardcoded API key was used to authenticate to their AWS APIs."
J&J later replaced API-key authentication with proper bearer token validation.
Audit system exposes secret data
What was even more shocking was that the researcher managed to get access to J&J's internal auditing system.
J&J's Audit Tracking Management System is an internal platform used to manage compliance audits across roughly 20 companies within the healthcare giant's portfolio, including Janssen, Ethicon, Biosense Webster, DePuy, Abiomed, and other business units.
While the application appeared locked behind Microsoft's SSO, Eaton found that the React application exposed numerous API endpoints before redirecting users to log in.
A request to an API named “getAllUsers” returned information on approximately 13,600 Johnson & Johnson employees without requiring authentication.
“That was huge because it indicated all the APIs were unauthenticated, and it was just a matter of hacking up the client-side code to get full access to everything,” the researcher noted.
“Like Campus Recruiting, it uses MSAL to authenticate the user using Microsoft SSO, and then it sets some values to local storage. There is no sign of it using the Bearer token,” he added.
Using information available inside the application, Eaton identified the system administrator, spoofed the administrator's identity by modifying browser-side code, manually generated a valid session identifier, and gained full administrator access.
The admin dashboard allowed switching between multiple J&J subsidiaries and exposed functionality reserved for system administrators.
“The system is packed full of presumably confidential information and transcripts. Even from all the way over in Russia,” he explained.
Eaton says he intentionally avoided exploring confidential records, despite observing internal meeting transcripts and sensitive corporate information.
“They used a rather dumb client-side encryption scheme to try and obscure some secret values,” Eaton stated.
“Ironically, it seems this auditing system never received an audit itself if code like this ends up being published.”
J&J was not in a rush to fix the problem
Eaton says he privately disclosed both vulnerabilities to Johnson & Johnson in October 2025 through the company's vulnerability reporting program.
The recruiting platform was fixed by the end of that month, but the auditing system was not. Over the next 6 months, Eaton says he repeatedly followed up but received no updates.
Only after asking a journalist to contact J&J's media relations department in April 2026 did the company finally remediate the issue.
"It was a bit perplexing that it took press involvement to address what I believed was a serious internal data breach waiting to happen," Eaton wrote.
Cybernews has reached out to J&J for a comment. We will update the article once we receive a response.
Unlock more exclusive Cybernews content on YouTube.
