What Goldman Sachs Was Telling Every Visitor Without Knowing

Goldman Sachs is one of the most security-conscious financial institutions on earth. They run their own red team. They have entire divisions dedicated to application security. Their bounty program is mature, tightly scoped, and exceptionally hard to land a finding on. None of that stopped a piece of internal metadata from being baked into the JavaScript that every visitor to one of their properties downloaded.

The bug was simple in the way that most production bugs are simple. The frontend application was bundled with a configuration object that was meant to live on the server. It contained internal service identifiers, environment markers that revealed the deployment pipeline, and feature flag names that hinted at unreleased product lines. None of it was a credential. None of it was a secret in the strict sense. All of it was information an attacker would pay for.

The reason this matters is not that any single field in the config was exploitable on its own. The reason it matters is that this is the raw material attackers use to build the next step of a chain. Service names map onto subdomains you can probe. Pipeline markers tell you which staging or pre-production environments exist and how their hostnames are constructed. Feature flag names give you an inventory of functionality you can hunt against, including features that have not yet shipped to the public.

We reported the finding through Goldman's security program. It was triaged as Medium with a CVSS score of 5.3, which is the standard rating for sensitive information disclosure of this class. The fix was straightforward. Strip the server-side config object out of the client bundle. Move what the frontend genuinely needs into a constrained, audited surface. Treat anything else as confidential.

What made this finding interesting to us is how it was missed. Goldman runs scanners. Goldman runs internal review. Goldman has a vendor pen test cycle. None of those processes flagged it because scanners do not understand what your business considers sensitive. A scanner cannot look at an internal service name and recognise that it telegraphs your microservice topology to anyone with curl. That requires a human who understands the business context.

The lesson is not that Goldman should have caught this. The lesson is that everyone has these bugs. Every frontend bundle on the public internet contains some quantity of information that should not be there. Most of it is harmless. Some of it is the first step in a chain that ends somewhere that costs real money. The work is in pulling those threads.