Intel had four of its internal systems infiltrated by security researcher Eaton Zveare, resulting in the exposure of information from 270,000 of its employees, Cybernews reports.
Exploitation of a vulnerability on Intel's corporate business card ordering website in India enabled API generation of an almost 1 GB JSON file, which included data from Intel's workers, including names, roles, phone numbers, mailbox addresses, and managers, according to a report from Zveare. Intel's Hierarchy Management website was also found to have inadequate client-side encryption that revealed not only an insecure password but also details on unreleased products. However, the most significant hardcoded credential leak was observed in Intel's Product Onboarding site, which had plaintext credentials for multiple APIs. All Intel employee information was also leaked by Intel's Supplier EHS IP Management System site, which also had client-side alterations permitting access to suppliers' confidential information. All of the issues were noted by Zveare to have merited only 'thank you' messages from Intel, which has added services to its bug bounty program only recently.
Exploitation of a vulnerability on Intel's corporate business card ordering website in India enabled API generation of an almost 1 GB JSON file, which included data from Intel's workers, including names, roles, phone numbers, mailbox addresses, and managers, according to a report from Zveare. Intel's Hierarchy Management website was also found to have inadequate client-side encryption that revealed not only an insecure password but also details on unreleased products. However, the most significant hardcoded credential leak was observed in Intel's Product Onboarding site, which had plaintext credentials for multiple APIs. All Intel employee information was also leaked by Intel's Supplier EHS IP Management System site, which also had client-side alterations permitting access to suppliers' confidential information. All of the issues were noted by Zveare to have merited only 'thank you' messages from Intel, which has added services to its bug bounty program only recently.
