A researcher this week disclosed the details of several vulnerabilities that allowed him to gain access to the information of Intel employees.
Security researcher Eaton Zveare discovered the vulnerabilities in the fourth quarter of 2024 and they were patched at the time by Intel.
Zveare initially discovered a vulnerability that enabled him to bypass authentication on an internal Intel India website designed to allow employees to order business cards.
“The intended purpose of the website is for an Intel India employee to find their name in the employee list and then form their business card based on the data,” the researcher explained.
While the site was associated with Intel India operations, Zveare discovered that the information of Intel employees from around the world was stored in the database. Further analysis revealed that the details of every Intel employee could have been downloaded by an attacker.
The exposed information included name, email address, phone number, and role. More sensitive information such as Social Security numbers and salary data were not included, the researcher said.
Zveare later discovered two other internal websites that exposed the details of all Intel employees, due to hardcoded credentials that provided admin access. The affected sites were designed for adding products to an application and organizing product groups.
A fourth internal Intel website, one designed for supplier data management, was found to be affected by an authentication bypass flaw that could have been exploited to gain access not only to the details of all Intel workers, but also “large amounts of confidential information about Intel’s suppliers”.
According to the researcher, these websites exposed the information of 270,000 Intel employees and workers.
Responding to a SecurityWeek inquiry, Intel pointed out that there was no breach, data leak, or unauthorized access to the company’s data.
“In October 2024, an external security researcher reported a vulnerability affecting several portals. Upon notification, immediate corrective actions were taken, and full remediation was completed promptly at that time,” an Intel spokesperson said. “Intel remains firmly committed to the continuous evaluation and strengthening of our security practices to protect our systems and information of our customers and employees.”
When Zveare reported his findings to Intel, these types of internal websites were not covered by the company’s bug bounty program. The chip giant has since expanded the program to cover cloud services and SaaS platforms, with rewards of up to $5,000.
Related: Chipmaker Patch Tuesday: Many Vulnerabilities Addressed by Intel, AMD, Nvidia
