Researcher Downloads Sensitive Intel Employee Data in Massive Breach Dubbed 'Intel Outside'

In a shocking revelation, a security researcher has revealed that sensitive information about 270,000 Intel employees was available for download until the end of February. The massive data breach, dubbed "Intel Outside," was discovered by Eaton Z, a security researcher and application developer.

The vulnerability behind the potential hack was detailed to Intel in correspondence starting in October 2024. However, it's worth noting that the incident did not qualify for bug bounty payouts, as it was excluded by some small print. Moreover, Eaton only received a single canned "auto-response" from Intel throughout the whole process.

Eaton's preliminary instincts proved accurate, as they had suspected that testing the locks on Intel websites would be worth a shot, given the firm's history of processor hardware vulnerabilities. With their headlining result, Eaton demonstrated that even seemingly secure systems can be breached with the right techniques.

How the Hack Worked

"The fancier the background, the more ineffective the login page will be," Eaton explained in a blog post. After scouting the perimeter of Intel's business card website, Eaton decided to check the JavaScript files behind the login form. They discovered that it was possible to trick an application into thinking a valid user was logged in by modifying the getAllAccounts function to return a non-empty array.

Indeed, this worked and got Eaton past the login screen. Next, they observed that the website allowed for probing of a long list of employees, not restricted to India but worldwide. An API token, which was available to an anonymous user, provided even deeper access to the employee data. Subsequently, Eaton was alarmed by the amount of information that could be pulled up about every employee.

"Way more than this simple website would ever need," Eaton said, "Intel's APIs are very generous!" Removing the URL filter from the API being probed eventually yielded a nearly 1GB JSON file. Inside this download, Eaton noted that there were details of every Intel employee (although the number is now fewer). The data included fields like each employee's name, role, manager, phone number, and mailing address.

Other Vulnerabilities Found

Three other Intel websites were blown wide open by Eaton's work. They discovered easily decryptable hardcoded credentials on the internal 'Product Hierarchy' website, which delivered a bumper list of Intel employee data as well as the possibility to gain admin access to the system.

Similarly, Intel's internal 'Product Onboarding' suffered from easily decryptable hardcoded credentials. The corporate login on Intel's SEIMS Supplier Site was another security measure that could be bypassed.

The Conclusion

Eaton communicated with Intel, outlining the internal website flaws that had been discovered, starting from October 2024. However, none of Eaton's work qualified for Intel bug bounty payouts, and they only received a single canned 'auto-response' throughout the whole process.

Despite this, Eaton published their findings on August 18, which seems eminently reasonable given that all the vulnerabilities had been addressed by February 28th. This incident serves as a reminder of the importance of testing security measures and the need for companies to continually review and update their systems.