A series of critical security flaws in Intel’s internal web infrastructure exposed the personal details of more than 270,000 employees and potentially provided attackers with access to sensitive corporate and supplier information.
The discoveries highlight severe weaknesses across multiple Intel-owned websites, raising broader concerns about the company’s handling of web application security.
According to security research findings that surfaced this week, four separate internal Intel systems were exploitable, offering multiple paths to exfiltrate the full global employee directory and, in some cases, to escalate into full administrative access.
- Business Card Ordering Website: A corporate portal maintained by Intel India Operations contained a login bypass that allowed attackers to sidestep Microsoft Azure authentication. By manipulating the application, researchers were able to pull API tokens anonymously and ultimately download a nearly 1 GB JSON file containing the details of every Intel worker worldwide.
- Hierarchy Management Portal: Another site used to manage internal product groups shipped with weakly encrypted, hardcoded credentials in its ReactJS code. These secrets could be easily decrypted, allowing unauthorized access to worker data and potentially granting admin-level privileges.
- Product Onboarding Website: Used internally to publish products to Intel’s widely referenced ARK platform, this portal contained several exposed tokens, hardcoded passwords, and even a GitHub access token. Researchers demonstrated that these vulnerabilities could allow attackers to masquerade as product administrators, potentially enabling them to manipulate Intel’s product catalog.
- SEIMS Supplier Portal: Billed as a secure system for supplier environmental health and safety (EHS) information, SEIMS was similarly exposed. By bypassing login checks and modifying client-side code, attackers could enumerate Intel employees and download confidential supplier data, including NDA-related details.
While no financial data or social security numbers were reportedly leaked, exposed fields included names, roles, contact details, and reporting structures. In aggregate, this represented a significant operational risk.
Intel, which has faced global scrutiny in the past for hardware-level vulnerabilities like Meltdown, Spectre, and various side-channel attacks, appeared slower to address web security.
The company’s bug bounty program explicitly excluded web infrastructure and leaked credentials from its reward scope, making reporting these flaws less appealing to researchers.
Despite this, the vulnerabilities were disclosed responsibly in late 2024, and Intel patched the flaws by February 2025.
Although the researcher received no direct acknowledgement beyond an automated inbox reply, the problems were eventually resolved.
In a positive move, Intel announced recently that its bug bounty program has expanded to cover more online services — potentially including intel.com web properties in the future.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
