I bypassed AWS API Gateway auth with a trailing slash. Got $12K bounty

A security researcher discovered they could bypass AWS API Gateway authentication by adding a trailing slash to the request URL, exploiting a discrepancy in how the gateway and backend interpreted routes. The vulnerability earned them a $12,000 bug bounty from the affected company.