eaton-works.com 2025/08/18 - Hardcoded credentials, pointless encryption, and generous APIs exposed details of every employee and made it possible to break into internal websites.
Key Points / Summary

• It was possible to bypass the corporate login on an internal business card ordering website and exploit it to download the details of more than 270k Intel employees/workers.
• An internal “Product Hierarchy” website had easily decryptable hardcoded credentials that provided a second way to download the details of every Intel employee. More hardcoded credentials made it possible to gain admin access to the system.
• An internal “Product Onboarding” website had easily decryptable hardcoded credentials that provided a third way to download the details of every Intel employee. More hardcoded credentials made it possible to gain admin access to the system.
• It was possible to bypass the corporate login on Intel’s SEIMS Supplier Site and further exploit it to download the details of every Intel employee (the fourth way). Additional client-side modifications made it possible to gain full access to the system to view large amounts of confidential information about Intel’s suppliers.
  Intel needs no introduction. The storied chipmaker is a mainstay in modern computing and an Intel chip has been inside basically every computer I have ever owned. They’ve had their fair share of security vulnerabilities, from Meltdown and Spectre to side channel attacks and more. There have been many hardware security vulnerabilities over the years, but what about Intel websites? You never hear about vulnerabilities there. Probably because hardware vulnerabilities are worth up to $100k while website bugs are basically relegated to a black-hole inbox (more on that later). I managed to find some very serious issues in several internal Intel websites. Please note that all tokens and credentials shown below are now expired/rotated and can no longer be used.

...

Intel’s Response and Timeline
Intel’s bug bounty program has been around a while and is well-known. There are some great rewards too – up to $100k. After discovering multiple critical website vulnerabilities, I was excited about the potential rewards I would get. Then I read the fine print:

Credentials: Username, password, account identifier, keys, certificates, or other credentials that have been published, leaked, or exposed in some way should be reported to this program to ensure they can be properly investigated, cleaned up, and secured. Credentials are out of Scope for rewards.
Is Intel’s Web Infrastructure, i.e.*.intel.com in scope? Intel’s web infrastructure, i.e., website domains owned and/or operated by Intel, fall out of Scope. Please send security vulnerability reports against Intel.com and/or related web presence to external.security.research@intel.com.
Obviously disappointing, but the right thing to do was to still report the vulnerabilities, and that is what I did.
That is the only official correspondence I ever received from Intel. The good news is that everything was fixed, so while the email inbox was essentially a one-way black hole, at least the reports got to the right people eventually.

The full timeline:

October 14, 2024: Business Card vulnerability report sent.
October 29, 2024: Hierarchy Management and Product Onboarding vulnerability reports sent.
November 11, 2024: Follow-up email sent on the Hierarchy Management and Product Onboarding thread with more information as to what specific steps should be taken to fix the vulnerabilities.
November 12, 2024: SEIMS vulnerability report sent.
December 2, 2024: Follow-up email sent on the Hierarchy Management and Product Onboarding thread letting them know they must rotate the leaked credentials.
February 28, 2025: At this point, it has been more than 90 days since my first report and all vulnerabilities have been resolved. A new email was sent to alert Intel about the intent to publish.
August 18, 2025: Published.
The good news is that Intel has recently expanded their bug bounty coverage to include services. Hopefully they will include blanket coverage for *.intel.com in the future for bug bounty rewards.