Researcher downloaded the data of all 270,000 Intel employees from an internal business card website — massive data breach dubbed 'Intel Outside' didn't qualify for bug bounty

It was possible to download sensitive information about 270,000 Intel employees until the end of February, according to Eaton Z, a security researcher, reverse engineer, and application developer. All this information was available with a little 'valid user' dodge applied to the Intel India Operations (IIO) site, where employees usually order their business cards. The vulnerability behind the potential hack, dubbed 'Intel Outside' by the researcher, was detailed to Intel in correspondence starting in October 2024. Moreover, the business card site was just one of four found with gaping security flaws.

From the introduction to his lengthy blog post, it is hinted that Eaton thought testing the locks on Intel websites would be worth a shot, given the firm's history of processor hardware vulnerabilities. With the headlining result, Eaton's preliminary ins tincts proved accurate.

How the hack worked: "The fancier the background, the more ineffective the login page will be"

Eaton explains that after their first scouting of the perimeter, they decided to check the JavaScript files behind the business card login form. It is sometimes possible "to trick an application into thinking a valid user is logged in by modifying the getAllAccounts function to return a non-empty array," Eaton narrated. Indeed, this worked and got Eaton past the login screen.

You may like

Next, it was observed that the website, at this depth, allowed for the probing of a long list of employees, not restricted to India, but worldwide. An API token, which was available to an anonymous user (like Eaton), provided even deeper access to the employee data.

Subsequently, Eaton was alarmed by the amount of information that could be pulled up about every employee. "Way more than this simple website would ever need," they commented, "Intel's APIs are very generous!"

Things got worse for Intel, not for Eaton. Removing the URL filter from the API being probed eventually yielded "a nearly 1GB JSON file." Inside this download, Eaton noted that there were details of every Intel employee (there are fewer now). Data included fields like each employee's name, role, manager, phone number, and mailing address.

Three other Intel websites were blown wide open by gentle prying

Eaton's work tested the locks, list ening for the clicks, on several other Intel websites. Perhaps you will be surprised to hear that three other vulnerable Intel Outside style hacks were possible?

Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.

On the internal 'Product Hierarchy' website, Eaton discovered easily decryptable hardcoded credentials. Again, the prize was a bumper list of Intel employee data, as well as the possibility to gain admin access to the system. Similarly, Intel's internal 'Product Onboarding' suffered from easily decryptable hardcoded credentials.

The corporate login on Intel's SEIMS Supplier Site was another security measure that could be bypassed. It delivered an amazing fourth way in which an attacker could "download the details of every Intel employee," says Eaton.

All right now

Eaton communicated with Intel, outlining the internal website flaws tha t had been discovered, starting from October 2024. Sadly, none of Eaton's work qualified for Intel bug bounty payouts, as it was excluded by some small print. Perhaps even worse, Eaton only got a single canned 'auto-response' from Intel throughout the whole process.

Easton noticed that all the vulnerabilities he had uncovered and reported to Intel had been addressed by February 28 this year. Publishing the linked blog on August 18, thus, seems eminently reasonable.

Follow Tom's Hardware on Google News to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button.