Black & White Path

Jun 8, 2026 · Information Security

How a Single Authorization Header Bypassed Authentication and Earned a $3,000 Bounty

Security researcher ALR discovered that a web application only checks for the presence of the Authorization header, allowing any request with "Authorization: Basic"—even without credentials—to access around 50 API endpoints, leading to a critical authentication bypass and a $3,000 bounty.