I was checking IPs and endpoints when I opened the following URL in my browser:

https://34.36.184.104/
None
ScreenShot of that leaked tool

The page loaded without any authentication and revealed a tool called Customer Story Generator.

At first glance, it was clear that this tool was not meant for public access. The page itself mentioned that it was internal only and still in development. Despite that, anyone on the internet could access it directly just by visiting the IP.

What Was Exposed

The application allowed users to:

  • Select AI models
  • Choose customer story output formats
  • Input domain names
  • Generate internal-style customer stories

There was no login page, no authorization check, and no access restriction of any kind. The tool was simply exposed.

This wasn't behind a VPN, employee SSO, or internal network. Just a public IP hosting an internal tool.

Why This Is a Problem

Even though this is not a flashy vulnerability, the risk is very real.

Internal tools often deal with:

  • Customer-related data
  • Support tickets
  • Internal workflows
  • Operational details

Exposing such tools publicly can:

  • Allow unauthorized users to interact with internal systems
  • Leak sensitive customer or business information
  • Create compliance issues if regulated data is involved
  • Give attackers insight into internal tooling and processes

Issues like this are often the first step in larger attacks.

How I Reported It

I responsibly reported the issue to the security team with:

  • The exposed IP
  • Description of the issue
  • Impact of unauthorized access
  • Screenshot proof showing the tool was accessible without authentication

No data was modified or abused. The goal was only to demonstrate that access was possible without permission.

Bounty

None
  • Within 1 month they reward me 1000$ bounty