I have written apps for J&J. They have internal talent, but they flood every team with breathtakingly incompetent contractors (and AI has exacerbated this). I could go on for hours, but let's just say their leadership makes engineers feel unwelcome. I don't think that's unusual for large businesses that are not tech-first, but it's worth mentioning.

It's not too hard to find vulnerabilities like this out there, but it is a true pleasure to see how well described and at the same time well documented the vulnerabilities and disclosure process in this case are handled. This makes it particularly useful to learn from as a real-life example. Well written, thank you for this cool piece of security work.

Well-written, I appreciated the absence of the kind of over-excited writing you often see in these kinds of posts.

At least with the second app (admittedly judging by that UI) this is a classic case of some team that has only every built apps that sit behind the firewall being made to “move to cloud,” without any understanding of what it means that their code is exposed to the internet.

I’ve seen a lot of orgs “solve” this not by fixing their code but by using Direct Connect to keep everything within the corporate network boundary; since after all compromised VPN credentials are another team’s problem!

It seems like being a security researcher in 2024 vs 2026 is a wildly different experience across the board (presumably not just with J&J).

I wonder what changed…

Sidenote: This is not the Eaton known for UPS's, power delivery components, aerospace parts and golf club grips, this is some other Eaton.