Spring Actuator endpoints publicly available, leading to account takeover

Due to insufficient access controls, it was possible to access the Spring Boot Actuator endpoints /heapdump and /env. The /heapdump endpoint leaks data from the Java Virtual Machine, leading to disclosure of admin credentials, user tokens and a combination of other data. This endpoint was not discovered by the internal security team due to being put on a custom path, avoiding detection through our usual means. The reporter accessing this endpoint also triggered a warning for our CSIRT team, allowing us to take quick and coordinated action. After quickly restricting access to this endpoint, we investigated and found no activity except that of the reporter. The maximum impact of this issue was potential takeover of random LINE Official Accounts through leaked tokens/cookies. We appreciate the professionalism and clear communication from @kazan71p and want to thank him for helping keep LINE secure.