eaton-works.com 2025/08/18 - Hardcoded credentials, pointless encryption, and generous APIs exposed details of every employee and made it possible to break into internal websites.
Key Points / Summary

• It was possible to bypass the corporate login on an internal business card ordering website and exploit it to download the details of more than 270k Intel employees/workers.
• An internal “Product Hierarchy” website had easily decryptable hardcoded credentials that provided a second way to download the details of every Intel employee. More hardcoded credentials made it possible to gain admin access to the system.
• An internal “Product Onboarding” website had easily decryptable hardcoded credentials that provided a third way to download the details of every Intel employee. More hardcoded credentials made it possible to gain admin access to the system.
• It was possible to bypass the corporate login on Intel’s SEIMS Supplier Site and further exploit it to download the details of every Intel employee (the fourth way). Additional client-side modifications made it possible to gain full access to the system to view large amounts of confidential information about Intel’s suppliers.
  Intel needs no introduction. The storied chipmaker is a mainstay in modern computing and an Intel chip has been inside basically every computer I have ever owned. They’ve had their fair share of security vulnerabilities, from Meltdown and Spectre to side channel attacks and more. There have been many hardware security vulnerabilities over the years, but what about Intel websites? You never hear about vulnerabilities there. Probably because hardware vulnerabilities are worth up to $100k while website bugs are basically relegated to a black-hole inbox (more on that later). I managed to find some very serious issues in several internal Intel websites. Please note that all tokens and credentials shown below are now expired/rotated and can no longer be used.

...

Intel’s Response and Timeline
Intel’s bug bounty program has been around a while and is well-known. There are some great rewards too – up to $100k. After discovering multiple critical website vulnerabilities, I was excited about the potential rewards I would get. Then I read the fine print:

Credentials: Username, password, account identifier, keys, certificates, or other credentials that have been published, leaked, or exposed in some way should be reported to this program to ensure they can be properly investigated, cleaned up, and secured. Credentials are out of Scope for rewards.
Is Intel’s Web Infrastructure, i.e.*.intel.com in scope? Intel’s web infrastructure, i.e., website domains owned and/or operated by Intel, fall out of Scope. Please send security vulnerability reports against Intel.com and/or related web presence to external.security.research@intel.com.
Obviously disappointing, but the right thing to do was to still report the vulnerabilities, and that is what I did.
That is the only official correspondence I ever received from Intel. The good news is that everything was fixed, so while the email inbox was essentially a one-way black hole, at least the reports got to the right people eventually.

The full timeline:

October 14, 2024: Business Card vulnerability report sent.
October 29, 2024: Hierarchy Management and Product Onboarding vulnerability reports sent.
November 11, 2024: Follow-up email sent on the Hierarchy Management and Product Onboarding thread with more information as to what specific steps should be taken to fix the vulnerabilities.
November 12, 2024: SEIMS vulnerability report sent.
December 2, 2024: Follow-up email sent on the Hierarchy Management and Product Onboarding thread letting them know they must rotate the leaked credentials.
February 28, 2025: At this point, it has been more than 90 days since my first report and all vulnerabilities have been resolved. A new email was sent to alert Intel about the intent to publish.
August 18, 2025: Published.
The good news is that Intel has recently expanded their bug bounty coverage to include services. Hopefully they will include blanket coverage for *.intel.com in the future for bug bounty rewards.

uk.news.yahoo.com - Records show hundreds of data breaches involving HMRC staff

HM Revenue and Customs (HMRC) has revealed that hundreds of staff have accessed the records of taxpayers without permission or breached security in other ways. HMRC dismissed 50 members of staff last year for accessing or risking the exposure of taxpayers’ records, according to The Telegraph.

354 tax employees have been disciplined for data security breaches since 2022, of whom 186 have been fired - and some were dismissed for accessing confidential information. HMRC holds sensitive data including salary and earnings, which staff cannot access without a good reason.

In an email to staff, the line manager of the claimant wrote: “There have been more incidents of this recently.”

John Hood, of accountants Moore Kingston Smith, said: “Any HMRC employee foolish enough to look up personal information that is not part of their usual responsibilities faces a ticking time bomb as most searches are tracked. As an additional security, some parts of the system are restricted so that only specifically authorised personnel can access them, such as the departments dealing with MPs and civil servants.”

HMRC’s annual report shows there were six incidents last year of employees changing customer records without permission, and two of staff losing inadequately protected devices.

A spokesman for HMRC said: “Instances of improper access are extremely rare, and we take firm action when it does happen, helping prevent a recurrence. We take the security of customers’ data extremely seriously and we have robust systems to ensure staff only access records when there is a legitimate business need.”

A surveillance tool meant to keep tabs on employees is leaking millions of real-time screenshots onto the open web.

Your boss watching your screen isn't the end of the story. Everyone else might be watching, too. Researchers at Cybernews have uncovered a major privacy breach involving WorkComposer, a workplace surveillance app used by over 200,000 people across countless companies.

The app, designed to track productivity by logging activity and snapping regular screenshots of employees’ screens, left over 21 million images exposed in an unsecured Amazon S3 bucket, broadcasting how workers go about their day frame by frame.

Data breach at pension scheme being taken ‘extremely seriously’, but broadcaster says there is no evidence of a ransomware attack

The U.S. Government Accountability Office said Monday that CGI Federal, an IT contractor and unit of CGI Inc , notified the agency of a data breach last month affecting about 6,000 current and former GAO employees.