Executive Summary

The vulnerability in Johnson & Johnson's Campus Recruiting system allowed unauthorized users to view sensitive data provided by recruited students and notes entered by interviewers. This was due to improper authentication mechanisms where the system relied on a hardcoded API key instead of proper token-based authentication, enabling attackers to bypass Microsoft SSO authentication by manipulating the Microsoft Authentication Library (MSAL).

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of personal and sensitive information of nearly 1,000 recruited students, including their data and interview notes. Such exposure can result in privacy violations, identity theft, and reputational damage for both the affected individuals and Johnson & Johnson.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying unauthorized access attempts or bypasses of authentication mechanisms in the Johnson & Johnson Campus Recruiting system or Audit Tracking Management System (ATMS). Specifically, look for signs of manipulation of authentication tokens or API keys.

One approach is to monitor network traffic for requests to the vulnerable APIs that do not include valid authentication tokens or that use hardcoded API keys.

Commands to help detect such activity could include:

• Using network monitoring tools like tcpdump or Wireshark to capture HTTP requests to the affected systems and inspect headers for missing or suspicious authentication tokens.
• Example tcpdump command to capture HTTP traffic to the campus recruiting system or ATMS (replace <IP> with the server IP):
• tcpdump -i any host <IP> and port 80 or port 443 -w capture.pcap
• Use curl or similar tools to test API endpoints for authentication enforcement, for example:
• curl -v https://<target-system>/api/endpoint -H "Authorization: Bearer invalid_token"
• Check logs for repeated failed authentication attempts or suspicious access patterns.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Ensure that all authentication mechanisms enforce proper token validation rather than relying on hardcoded API keys.
• Disable or restrict access to APIs that do not require authentication.
• Implement strong authentication and authorization controls, such as OAuth tokens or Microsoft SSO with proper validation.
• Monitor and audit access logs for unusual activity or unauthorized access attempts.
• Apply any available patches or updates provided by Johnson & Johnson to fix these vulnerabilities.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in Johnson & Johnson's Campus Recruiting system allowed unauthorized viewing of personal data provided by recruited students, which could lead to non-compliance with data protection regulations such as GDPR that require protection of personal data and restrict unauthorized access.

Since the vulnerability exposed sensitive student information without proper authentication controls, it potentially violates principles of confidentiality and data minimization required by standards like GDPR and HIPAA.

Additionally, the delayed remediation of related vulnerabilities in J&J's internal systems, as described in the resources, may further impact compliance by failing to promptly address known security risks.

Useful 0 Not Useful 0