A researcher this week disclosed the main points of a number of vulnerabilities that allowed him to achieve entry to the data of Intel workers.
Safety researcher Eaton Zveare found the vulnerabilities within the fourth quarter of 2024 they usually had been patched on the time by Intel.
Zveare initially found a vulnerability that enabled him to bypass authentication on an inside Intel India web site designed to permit workers to order enterprise playing cards.
“The supposed objective of the web site is for an Intel India worker to seek out their title within the worker listing after which kind their enterprise card primarily based on the info,” the researcher defined.
Whereas the location was related to Intel India operations, Zveare found that the data of Intel workers from world wide was saved within the database. Additional evaluation revealed that the main points of each Intel worker may have been downloaded by an attacker.
The uncovered data included title, e-mail deal with, cellphone quantity, and position. Extra delicate data resembling Social Safety numbers and wage knowledge weren’t included, the researcher stated.
Zveare later found two different inside web sites that uncovered the main points of all Intel workers, on account of hardcoded credentials that offered admin entry. The affected websites had been designed for including merchandise to an software and organizing product teams.
A fourth inside Intel web site, one designed for provider knowledge administration, was discovered to be affected by an authentication bypass flaw that might have been exploited to achieve entry not solely to the main points of all Intel employees, but additionally “massive quantities of confidential details about Intel’s suppliers”.Commercial. Scroll to proceed studying.
In accordance with the researcher, these web sites uncovered the data of 270,000 Intel workers and employees.
Responding to a SecurityWeek inquiry, Intel identified that there was no breach, knowledge leak, or unauthorized entry to the corporate’s knowledge.
“In October 2024, an exterior safety researcher reported a vulnerability affecting a number of portals. Upon notification, quick corrective actions had been taken, and full remediation was accomplished promptly at the moment,” an Intel spokesperson stated. “Intel stays firmly dedicated to the continual analysis and strengthening of our safety practices to guard our methods and data of our prospects and workers.”
When Zveare reported his findings to Intel, a majority of these inside web sites weren’t lined by the corporate’s bug bounty program. The chip large has since expanded this system to cowl cloud companies and SaaS platforms, with rewards of as much as $5,000.
Associated: Chipmaker Patch Tuesday: Many Vulnerabilities Addressed by Intel, AMD, Nvidia
Associated: Intel TDX Join Bridges the CPU-GPU Safety Hole
Associated: Intel Patched 374 Vulnerabilities in 2024
