Security researcher Eaton Zveare revealed details of several vulnerabilities he found in Intel’s internal systems. These flaws, which have since been patched by Intel, allowed Zveare to access information about Intel employees. Zveare’s findings were not part of a malicious attack but a responsible disclosure, highlighting significant security gaps within the company’s internal web infrastructure.
Zveare’s initial discovery was an authentication bypass vulnerability on an internal Intel India website used for ordering business cards. Although intended for a specific region, the site’s database contained employee information from across the globe. This single flaw could have allowed an attacker to download the details of every Intel employee, including names, email addresses, phone numbers, and roles. The researcher noted that more sensitive data like Social Security numbers and salary information were not exposed.
Following this, Zveare uncovered two more internal websites with hardcoded credentials that provided him with admin access. These sites, which were used for managing product applications and groups, also exposed the details of all Intel workers. A fourth vulnerability was identified on a supplier data management portal, which had another authentication bypass flaw. This particular vulnerability was more critical, as it could have been exploited to not only gain access to employee information but also to large amounts of confidential data related to Intel’s suppliers.
According to Zveare, the vulnerabilities collectively exposed information for a staggering 270,000 Intel employees and workers. When asked about the findings, an Intel spokesperson responded that there was no breach, data leak, or unauthorized access to the company’s data. They stated that upon notification in October 2024, immediate corrective actions were taken, and full remediation was completed promptly. Intel affirmed its commitment to continuously strengthening its security practices to protect its systems and the information of its customers and employees.
At the time of Zveare’s discovery and disclosure, these types of internal websites were not covered under Intel’s bug bounty program. Since then, the chip manufacturer has expanded the program to include cloud services and SaaS platforms, offering rewards of up to $5,000 for identified vulnerabilities. This expansion demonstrates Intel’s move to enhance its security posture and encourage more researchers to report potential flaws.
Reference:
