I was on vacation in London, doing the Warner Bros Studio Tour. You know, the Harry Potter one. While waiting around, I connected to the guest Wi-Fi and started poking around out of habit.

Within minutes, I had access to internal Warner Bros employee websites that were supposed to require a VPN.

What Happened

Warner Bros has roughly 10,000 internal subdomains. Most of them are meant to be accessible only by employees connected through a corporate VPN. But the public guest Wi-Fi at both the Studio Tour and their London corporate headquarters wasn't properly segmented from the internal network. If you were on the guest Wi-Fi, you could reach internal systems as if you were an employee on the VPN. One of these internal sites literally displayed a message saying "You need to be on the WB network or connected to a VPN in order to access this page." It loaded fine on the guest Wi-Fi.

One of those internal systems was a search tool for Warner Bros content. Movies, TV shows, and their associated assets. Not just released content. I found unreleased titles with production details that hadn't been made public yet. I also found that a popular show had a couple more seasons in production than had been publicly announced at the time.

This wasn't an old, dead system. It was actively being used with current data.

The Response

I reported this through their bug bounty program with video evidence. They took over a month to respond, then closed it as "informative," claiming there was no security impact.

Their reasoning? The search tool was "an old proof of concept that was intended to be public" dating back almost ten years. A proof of concept. Meant to be public. Containing unreleased movie titles, non-public production details, and a couple more seasons of a popular show than had been publicly announced.

They also claimed that "critical systems and sensitive information remain protected by additional authentication measures." But that wasn't true for every system I accessed. Some had authentication. Many didn't. And the ones that did have authentication still shouldn't have been reachable from a guest network in the first place.

I pointed out that this wasn't limited to one URL. Any of their internal subdomains that required the VPN was accessible from the guest Wi-Fi. A site that literally displays "You need to be on the WB network or connected to a VPN" should not load on the gift shop Wi-Fi. They didn't address that.

Why This Matters

Warner Bros isn't the only company I've found this at. I've seen the same pattern at other major companies where guest or public Wi-Fi wasn't properly isolated from internal infrastructure. At one large retailer, development APIs and internal tools that returned 403 Forbidden from the public internet loaded fine from their in-store guest Wi-Fi. I couldn't find a way to report it to them, which is its own problem.

This is clearly something that gets overlooked. Network segmentation is one of the most basic security controls and one of the most commonly misconfigured. Companies assume their guest networks are isolated. In my experience, many aren't. And traditional penetration tests almost never check for this because the tester is sitting in an office running scans remotely, not standing in your lobby connected to your guest Wi-Fi.

This Is Something I Want to Test More

I think Wi-Fi segmentation testing is a huge blind spot in corporate security. Most pentesters never check it. Most companies never think to ask.

I can test this remotely. All a company needs to do is set up a tunnel from a device on their guest network to me. I don't need to be on site. From there, I can check whether your guest Wi-Fi gives access to internal systems, dev environments, management dashboards, or anything else that should be behind a VPN.

If your company has guest Wi-Fi anywhere, whether that's an office lobby, a retail store, a warehouse, or a tourist attraction, this is worth testing. It doesn't need to be physically near your corporate infrastructure. It just needs to be on a network that wasn't properly segmented. And the risks go beyond accessing internal tools. If your guest Wi-Fi puts users on an IP range that's included in your domain's SPF record, someone on that network could potentially send emails that pass authentication checks as if they were your company.

If I can find unreleased movie titles from a studio tour, imagine what someone with worse intentions could find from your guest network.

Kaeden is an independent security researcher and penetration tester based in Tokyo. For inquiries, reach out at whitehat@pentester.ca.