A series of critical vulnerabilities across multiple internal Intel websites enabled the complete exfiltration of the company’s **global employee database** (270,000+ records) and unauthorized access to **confidential supplier information**, including NDAs. The flaws—stemming from **client-side authentication bypasses, hardcoded credentials (e.g., weak AES key '1234567890123456'), lack of server-side validation, and fabricated token acceptance (e.g., 'Not Autorized')**—were exploited via four distinct pathways. Key breaches included: - **Intel India’s business card ordering site**: Bypassed Azure login via JavaScript modification, exposing an unauthenticated API that returned a 1GB JSON file with **employee names, roles, managers, phone numbers, and mailbox addresses**. - **Product Hierarchy site**: Hardcoded, easily decrypted credentials granted backend access to the same employee database. - **Product Onboarding site**: Contained **hardcoded API keys and a GitHub personal access token**, risking further supply chain compromise. - **Supplier EHS IP Management System (SEIMS)**: Token validation bypass allowed **administrative access to supplier NDAs and IP data**. Intel remediated the vulnerabilities post-disclosure (October 2024), but the incident highlights systemic security oversights. While **no SSNs or salaries were exposed**, the **mass PII breach of employees and partners** poses severe reputational, operational, and compliance risks.
Source: https://cybersecuritynews.com/intel-websites-exploited/
TPRM report: https://www.rankiteo.com/company/intel-labs
"id": "int845081825",
"linkid": "intel-labs",
"type": "Vulnerability",
"date": "10/2024",
"severity": "85",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': 'None (internal systems; '
'employees and suppliers '
'impacted)',
'industry': 'Semiconductors/Technology',
'location': 'Global (HQ: Santa Clara, California, USA)',
'name': 'Intel Corporation',
'size': '~131,000 employees (270,000+ records exposed, '
'including contractors)',
'type': 'Multinational Corporation'},
{'industry': 'Technology',
'location': 'India',
'name': 'Intel India Employees',
'type': 'Subsidiary Workforce'},
{'industry': 'Various (technology/supply chain)',
'location': 'Global',
'name': 'Intel Suppliers (via SEIMS)',
'type': 'Business Partners'}],
'attack_vector': ['Client-side Authentication Bypass (JavaScript '
'modification)',
'Hardcoded Credentials (weak AES encryption: key '
"'1234567890123456')",
'Lack of Server-Side Validation',
'Unauthenticated API Issuing Valid Access Tokens',
"Fabricated Authorization Token ('Not Autorized' typo "
'bypass)',
'API Response Manipulation for Administrative Access'],
'data_breach': {'data_encryption': ["Weak (AES with key '1234567890123456')"],
'data_exfiltration': 'Yes (1 GB JSON file with global '
'workforce data)',
'file_types_exposed': ['JSON (employee database)',
'API responses (supplier data)'],
'number_of_records_exposed': '270,000+ (employees and '
'workers)',
'personally_identifiable_information': ['Names',
'Job Roles',
'Managers',
'Phone Numbers',
'Mailbox Addresses'],
'sensitivity_of_data': ['Moderate to High (PII + confidential '
'business data)'],
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Corporate Hierarchy Data',
'Supplier Confidential '
'Information (NDAs, IP '
'details)']},
'date_detected': '2024-10-14',
'description': 'A series of critical vulnerabilities across multiple internal '
'Intel websites allowed for the complete exfiltration of the '
'company’s global employee database (270,000+ records) and '
'unauthorized access to confidential supplier information. The '
'flaws included client-side authentication bypasses, hardcoded '
'credentials (with weak AES encryption), lack of server-side '
'validation, and an unauthenticated API issuing valid access '
'tokens. Four distinct pathways enabled unauthorized download '
'of the entire employee database, including names, job roles, '
'managers, phone numbers, and mailbox addresses. Confidential '
'supplier data, including NDAs, was also exposed via '
'administrative access gained through manipulated API '
'responses. The vulnerabilities were responsibly disclosed on '
'October 14, 2024, and remediated by Intel before the 90-day '
'disclosure period ended.',
'impact': {'brand_reputation_impact': ['High (massive PII breach for a tech '
'giant)',
'Erosion of trust among employees and '
'suppliers'],
'data_compromised': ['Employee PII (270,000+ records): names, job '
'roles, managers, phone numbers, mailbox '
'addresses',
'Confidential Supplier Data: NDAs, '
'intellectual property details'],
'identity_theft_risk': ['Moderate (no SSNs/salaries exposed, but '
'PII could enable phishing/social '
'engineering)'],
'legal_liabilities': ['Potential GDPR/CCPA violations (PII '
'exposure)',
'Contractual breaches with suppliers (NDA '
'violations)'],
'operational_impact': ['Potential supply chain disruptions',
'Internal process reviews required'],
'systems_affected': ['Intel India Business Card Ordering Website',
'Product Hierarchy Management Website',
'Product Onboarding Site (ARK database '
'management)',
'Supplier EHS IP Management System (SEIMS)']},
'investigation_status': 'Completed (vulnerabilities remediated)',
'lessons_learned': ['Critical importance of server-side validation over '
'client-side checks',
'Dangers of hardcoded credentials, especially with weak '
'encryption',
'Need for rigorous API security (token validation, rate '
'limiting)',
"Typos in code (e.g., 'Not Autorized') can have severe "
'security implications',
'Bug bounty scope limitations may discourage reporting of '
'critical infrastructure flaws'],
'motivation': ['Research', 'Responsible Disclosure'],
'post_incident_analysis': {'corrective_actions': ['Server-side validation '
'enforced',
'Hardcoded credentials '
'removed/replaced with '
'secure alternatives',
'API security hardened '
'(token validation, rate '
'limiting)',
'Encryption standards '
'updated',
'Bug bounty program review '
'initiated'],
'root_causes': ['Over-reliance on client-side '
'security controls',
'Lack of secure coding practices '
'(hardcoded credentials, weak '
'encryption)',
'Inadequate API security '
'(unauthenticated token issuance, '
'lack of input validation)',
'Poor secret management (exposed '
'GitHub PAT, API keys)',
'Insufficient security testing for '
'internal applications']},
'recommendations': ['Implement comprehensive server-side validation for all '
'authentication flows',
'Eliminate hardcoded credentials; use secure secret '
'management (e.g., HashiCorp Vault)',
'Conduct regular penetration testing for internal '
'applications',
'Expand bug bounty program to include web infrastructure '
'with competitive rewards',
'Enforce code reviews for security-critical changes',
'Deploy Web Application Firewalls (WAFs) with behavioral '
'analysis',
'Establish a dedicated channel for high-severity '
'vulnerability disclosures'],
'references': [{'source': 'Eaton Works Research (Vulnerability Disclosure)'}],
'regulatory_compliance': {'regulations_violated': ['Potential GDPR (EU)',
'CCPA (California)',
'Sector-specific data '
'protection laws']},
'response': {'communication_strategy': ['Automated reply to researcher (no '
'direct communication)'],
'containment_measures': ['Patch for client-side authentication '
'bypass',
'Removal of hardcoded credentials',
'Server-side validation implemented',
'API token validation fixes',
'Typo correction in authorization '
"checks ('Not Autorized')"],
'enhanced_monitoring': ['Likely implemented post-incident (not '
'specified)'],
'incident_response_plan_activated': 'Yes (remediation completed '
'within 90 days)',
'remediation_measures': ['Code reviews for internal web '
'applications',
'Security audits for authentication '
'flows',
'Encryption key rotation policies'],
'third_party_assistance': ['Eaton Works (researcher who '
'disclosed vulnerabilities)']},
'threat_actor': 'Unknown (Responsible Disclosure by Eaton Works Researcher)',
'title': "Critical Vulnerabilities in Intel's Internal Websites Leading to "
'Massive Data Exfiltration',
'type': ['Data Breach', 'Unauthorized Access', 'Information Disclosure'],
'vulnerability_exploited': ['CWE-287: Improper Authentication (Authentication '
'Bypass)',
'CWE-798: Use of Hard-coded Credentials',
'CWE-352: Cross-Site Request Forgery (CSRF) (via '
'API manipulation)',
'CWE-601: URL Redirection to Untrusted Site (Open '
'Redirect) (via token manipulation)',
'CWE-319: Cleartext Transmission of Sensitive '
'Information (weak AES encryption)',
'CWE-20: Improper Input Validation (lack of '
'server-side checks)']}