A recent investigation has uncovered critical vulnerabilities across multiple internal Intel websites, leading to the exposure of personal information for over 270,000 employees and access to confidential supplier data. These security flaws, identified by Eaton Works, stemmed from fundamental oversights such as client-side authentication bypasses, hardcoded credentials, and inadequate server-side validation.
Vulnerabilities Across Multiple Platforms
The research highlighted at least four distinct internal web applications with severe security issues:
1. Business Card Ordering System: Designed for Intel India employees, this platform allowed users to order business cards. By modifying the site’s JavaScript, an attacker could bypass the corporate Microsoft Azure login prompt. Once inside, an unauthenticated API issued a valid access token, which, when used to query a worker API without search filters, returned a nearly 1 GB JSON file. This file contained comprehensive details of Intel’s global workforce, including names, job roles, managers, phone numbers, and email addresses.
2. Product Hierarchy Management Website: This internal tool contained hardcoded credentials for its backend services. The password, though encrypted, utilized a weak AES key (‘1234567890123456’), making decryption straightforward. This flaw provided another avenue to access the employee database.
3. Product Onboarding Site: Presumed to manage entries on Intel’s public ARK product database, this site stored numerous hardcoded secrets, including multiple API keys and a GitHub personal access token.
4. Supplier EHS IP Management System (SEIMS): This portal, used for managing intellectual property with suppliers, had a login mechanism that could be bypassed by altering the code checking for a valid token. By manipulating API responses, an attacker could gain administrative access, viewing confidential supplier data, including non-disclosure agreements (NDAs). Notably, the system’s backend APIs accepted a fabricated authorization token with the value Not Autorized, a typographical error indicating a significant lapse in server-side security checks.
Disclosure and Response
The researcher responsibly disclosed these findings to Intel starting on October 14, 2024. Intel’s bug bounty program policy excludes web infrastructure from monetary rewards, directing such reports to a security email inbox. Although the researcher received only an automated reply and no direct communication, they confirmed that Intel addressed all reported vulnerabilities before the standard 90-day disclosure period concluded.
Implications and Recommendations
While no highly sensitive data like social security numbers or salary information was exposed, the breach of employee personally identifiable information (PII) and confidential partner data on such a large scale represents a significant security lapse for Intel. This incident underscores the importance of robust security practices, including:
– Regular Security Audits: Conducting comprehensive reviews of internal systems to identify and remediate vulnerabilities.
– Secure Coding Practices: Avoiding hardcoded credentials and ensuring proper encryption methods are employed.
– Server-Side Validation: Implementing stringent server-side checks to prevent unauthorized access.
– Prompt Patch Management: Addressing identified vulnerabilities swiftly to mitigate potential exploitation.
Organizations are encouraged to learn from this incident and bolster their cybersecurity measures to protect sensitive information and maintain trust with employees and partners.
