InfoSecBulletin Cybersecurity for mankind
A whitehat hacker broke into four of Intel’s internal systems and discovered that the sensitive data of 270K Intel employees’ was exposed. Then, he spent months helping the company plug the leaks, only to receive one automated thank-you note.
Security researcher Eaton Zveare found a way to bypass authentication on Intel’s corporate business card ordering site in India, as the system’s API revealed more data than anticipated.
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
CISA: Splunk flaw under active exploit, patch by Sunday
Texas data breach exposes 3 million driver’s licenses
“It gave me a nearly 1GB JSON file. This file contained the details of every Intel employee. Through 1 API request, I just exfiltrated a wealth of detailed information,” Zveare posted on LinkedIn.
Further investigation unveiled critical flaws in other systems, too.
“There were not 1, not 2, but 4 vulnerabilities that allowed me to exfiltrate sensitive information about more than 270k Intel employees/workers, and I was able to break into multiple internal websites through creative JavaScript patching,” the security researcher disclosed in a report.
To bypass authentication on the Intel India Operations’ website, the researcher simply tweaked the client-side code. The site used JavaScript to redirect unauthenticated users, but the researcher modified one function to return a non-empty array and was able to bypass the login.
The researcher was surprised to see that traffic “behind the scenes” was utilizing an unauthenticated API to return information on every employee. He shared a screenshot with details for Patric Gelsinger, the former Intel CEO.
“The data included fields like the person’s name, role, manager, phone number, and mailbox address, but nothing overly sensitive like salary or social security number,” he explained.
Three other systems exposed:
The researcher later discovered that Intel’s Hierarchy Management website, which helps organize product groups and ownership within the company, contained an easily decryptable, hardcoded password that could even be used to gain admin access to the system.
“This encryption is 100% pointless,” the researcher writes.
“It’s all done client-side, meaning the client has the key, so it is possible to decrypt the password!”
The decrypted password raised even more eyebrows. It only contained sequences of numbers (123…) and letters (abc…).
Hardcoded admin credentials allowed access to the site with “some interesting information, some of which may include unreleased products.”
The third internal service the researcher accessed was the “Product Onboarding” website, likely used to upload product information.
“This one is the worst offender in terms of leaked/hardcoded credentials.”
The credentials for various APIs were posted in plain text, among the comments in the JS files. One encrypted GitHub personal access token might have allowed reading fake products on Intel ARK, but the researcher chose not to test it.
Lastly, Intel’s SEIMS (Supplier EHS IP Management System) site also had its corporate login compromised. Again, it leaked all Intel employee data, but with additional client-side modifications, it was “possible to gain full access to the system to view large amounts of confidential information about Intel’s suppliers.”
The researcher was able to access product reports and other documents, like NDAs.
The researcher responsibly disclosed all the vulnerabilities to Intel and described the experience as “a one-way black hole.”
On October 14th, 2024, Zveare sent the first Business Card vulnerability report and immediately received an automated email saying “Thank You !” and explaining that web infrastructure vulnerabilities aren’t part of the Bug Bounty Program.
“No other response or certificate will be sent out beyond this notification,” the letter reads.
And it was the only official correspondence the researcher ever received.
Zveare later disclosed further vulnerabilities on October 29th and November 12th, 2024. Later, he sent multiple follow-up emails urging the rotation of leaked credentials and the fixing of vulnerabilities.
Ninety days later, the flaws were resolved. On February 28th, 2025, the researcher informed Intel about the intent to publish the findings. Yet he waited until August 18th, until the report was made publicly available.
“Hardware vulnerabilities are worth up to $100k while website bugs are basically relegated to a black-hole inbox,” the researcher notes.
“The good news is that Intel has recently expanded its bug bounty coverage to include services.”
Source: eaton-works.com, cybernews
