Overview
- Eaton Zveare reported that an authentication bypass on an Intel India business‑card portal opened access to a global employee directory.
- By removing an API URL filter, the researcher says he retrieved a nearly 1GB JSON file containing names, emails, phone numbers, roles, and manager details, but not Social Security numbers or salary data.
- He also found two internal sites with easily decrypted hardcoded credentials and a supplier management portal with an authentication bypass that could expose confidential supplier information.
- The issues were reported in October 2024 and remediated by late February 2025, after which the researcher publicly released the "Intel Outside" findings in August 2025.
- Intel states there was no breach or unauthorized access and has since expanded its bug bounty to cover certain cloud and SaaS services with rewards up to $5,000, while the affected internal portals were previously out of scope.