APPSEC-NOAUTH-2023

On May 5, 2021 Pen Test Partners researcher Jan Masters and TechCrunch publicly disclosed that Peloton's API exposed the private account data of its users, having been reported privately to Peloton on January 20, 2021. The API had endpoints, including a workout-details POST endpoint, a user-search GET endpoint, and GraphQL endpoints, that performed no authorization checks: unauthenticated requests returned account data such as user IDs, location/city, age, gender, weight, workout statistics, birthday, and group/studio attendance, even for users who had set their profiles to private, because the privacy flag was not enforced at the API layer. This is a missing/insufficient-authorization flaw on an API serving over 3 million subscribers' data. A partial fix on February 2, 2021 only restricted the API to authenticated Peloton members, so anyone willing to create an account could still pull any other user's private data until the full fix around early May.

In 2019, researcher Laxman Muthiyah found an account-takeover flaw in Instagram's mobile password-recovery flow, which Facebook rewarded with a $30,000 bounty, mapping to OWASP API4:2023 Unrestricted Resource Consumption combined with broken authentication. The flow sent a six-digit recovery code to the user's phone, giving only 1,000,000 possible values, and its rate limiting was insufficient to stop high-volume guessing. Muthiyah observed that of 1,000 codes submitted from one IP, about 250 were processed while the rest were throttled, so per-IP limits alone did not cap total attempts. By combining a race condition with IP rotation, he sent roughly 200,000 concurrent requests from 1,000 different IP addresses and estimated about 5,000 IPs would suffice to cover the full code space within the 10-minute validity window, brute-forcing the code and taking over any account. The core defect was the absence of an effective global lockout tying failed attempts to the targeted account rather than only the source IP.

On September 28, 2018 Facebook disclosed that attackers had stolen access tokens by exploiting its View As feature; an initial estimate of nearly 50 million affected accounts was revised on October 12, 2018 to about 30 million whose tokens were actually stolen (roughly 29 million had data accessed). The root cause was a business-logic flaw chaining three bugs in the read-only View As profile preview: a video-uploader composer added in July 2017 wrongly appeared in that view, it incorrectly minted an access token at all, and critically it minted the token for the user being viewed rather than the viewer, embedding that token in the page HTML. An attacker could therefore select View As a target and scrape a fully privileged token for the target account, then pivot through friend lists to harvest tokens outward from roughly 400,000 seed accounts. The flaw is an improper-authentication / business-logic failure where an auth credential was generated in the wrong context and scoped to the wrong principal.

JWT algorithm confusion is an authentication-bypass class affecting servers that trust the attacker-controlled 'alg' field in a token's header to choose how the signature is verified, mapping to OWASP API2:2023 Broken Authentication. When a library exposes a single algorithm-agnostic verify call, setting alg to 'none' makes it accept a token with an empty signature and skip verification entirely, as Tim McLean documented across multiple libraries in a 2015 Auth0-coordinated disclosure. In the RS256-to-HS256 variant, a server expecting asymmetric RS256 passes its RSA public key to verify, but an attacker flips the header to HS256 so the library reuses that same public key as the HMAC secret; because the public key is not secret, the attacker can forge and HMAC-sign an arbitrary admin payload that validates. CVE-2015-9235 (CVSS 9.8) captured exactly this in node jsonwebtoken before 4.2.2, where a token signed with an HS-family algorithm was accepted in place of one expected to use an RS/ES asymmetric key. PortSwigger's Web Security Academy documents both the 'none' and RS256/HS256 confusion techniques as practical authentication-bypass labs.

A source map (.map) is a build artifact that maps minified bundle code back to the original source, and bundlers embed the full original code in its sourcesContent field. Left reachable in production or shipped inside a package, it hands anyone the unminified codebase, internal comments, hidden API endpoints, auth logic, and any secrets that were compiled in. Discovery is trivial: open DevTools and read the Sources tab, request the bundle's .map URL directly, or Google-dork for ext:map intext:webpack, then reconstruct the whole project with a tool like unwebpack-sourcemap. Passive scanners such as Acunetix and Burp already flag it as a standalone finding. It is usually rated medium on its own but escalates fast when the recovered source contains live credentials or undocumented endpoints; exposed Webpack source maps have leaked hardcoded Stripe secret keys that enabled unauthorized payments. High-profile cases include Apple's App Store web front-end in November 2025, shipped with source maps still enabled, and Anthropic's Claude Code, whose entire TypeScript source leaked via a source map left in a published npm package in March 2026.

GraphQL servers expose three abuse primitives stemming from the query language's flexibility. Leaving introspection enabled lets any client send a __schema query and recover the entire type system, including internal admin mutations and deprecated fields, providing a map of the attack surface (OWASP API8/API2). Because per-request rate limiters count one HTTP request regardless of operations inside it, an attacker can use field aliasing (e.g. attempt0:login(...), attempt1:login(...)) or array batching to pack dozens of login or verifyOtp mutations into a single request, brute-forcing credentials or short OTP/2FA codes while the rate limiter sees only one request; this aliasing-bypass technique is reproduced in the PortSwigger Web Security Academy 'Bypassing GraphQL brute force protections' lab and Wallarm's GraphQL batching research. Deeply nested or recursive queries cause an exponential explosion of resolver and database calls, exhausting CPU, memory and connection pools for denial of service, the core of OWASP API4:2023 Unrestricted Resource Consumption. HackerOne has disclosed a real GraphQL authentication-bypass finding, and Apollo Server v4 disabled array batching by default in response to these attacks.