Intel Websites Compromised: Hackers Access Confidential Data of All Intel Employees

A series of critical vulnerabilities across multiple internal Intel websites allowed for the complete exfiltration of the company’s global employee database and access to confidential supplier information. The flaws, stemming from basic security oversights, exposed the personal details of over 270,000 Intel employees and workers. An investigation by Eaton Works revealed that at least four separate internal web applications contained severe security holes, including client-side authentication bypasses, hardcoded credentials, and a lack of server-side validation. These vulnerabilities provided four distinct pathways for an unauthorised user to download the entire employee database. One significant breach involved a website for Intel India employees to order business cards. The research discovered that it was possible to bypass the corporate Microsoft Azure login prompt by making a simple modification to the site’s JavaScript. Once past the login, the researcher found an unauthenticated API that would issue a valid access token. This token could then be used to query a “worker” API. By removing the search filter from the API request, the system returned a nearly 1 GB JSON file containing the names, job roles, managers, phone numbers, and mailbox addresses for Intel’s entire global workforce.

This pattern of lax security was repeated across other internal systems. A “Product Hierarchy” management website contained hardcoded credentials for its backend services. The password, while encrypted, used a notoriously weak AES key—’1234567890123456’—making it trivial to decrypt. This provided a second method to access the same employee database, according to Eaton Works. Another “Product Onboarding” site, presumed to be used for managing entries on Intel’s public ARK product database, contained a trove of hardcoded secrets, including multiple API keys and even a GitHub personal access token. The fourth major vulnerability was found in Intel’s Supplier EHS IP Management System (SEIMS), a portal for managing intellectual property with suppliers. The researcher bypassed the login by modifying the code that checked for a valid token. From there, they gained administrative access by manipulating API responses, allowing them to view confidential supplier data, including details of non-disclosure agreements (NDAs). Shockingly, the system’s backend APIs accepted a fabricated authorisation token with the value “Not Autorized”—a typo that highlighted a complete breakdown in server-side security checks. The researcher responsibly disclosed all findings to Intel beginning on October 14, 2024. The company’s bug bounty program policy excludes web infrastructure from monetary rewards, directing such reports to a security email inbox. While the researcher received only an automated reply and no direct communication, they confirmed that Intel remediated all vulnerabilities. 

Categories: Security Vulnerabilities, Data Exfiltration, Inadequate Authentication 

Tags: Vulnerabilities, Exfiltration, Employee Database, Security Oversights, Authentication Bypass, Hardcoded Credentials, API Access, Encryption, Confidential Data, Bug Bounty