Security boffin Eaton Zveare has highlighted some serious holes in the online infrastructure of chip giant Intel – walking through services with coding flaws to gain access to supposedly internal documentation, from non-disclosure agreements (NDAs) to the personal details of more than 270,000 Intel staffers.

Meltdown, Spectre: The password theft bugs at the heart of Intel CPUs [1]FROM THE ARCHIVES

"Intel needs no introduction. The storied chipmaker is a mainstay in modern computing and an Intel chip has been inside basically every computer I have ever owned," Zveare wrote of his discovery in a [2]public disclosure on Monday night. "They've had their fair share of security vulnerabilities, from [3]Meltdown and Spectre to [4]side-channel attacks and more. There have been many hardware security vulnerabilities over the years, but what about Intel websites? You never hear about vulnerabilities there. Probably because hardware vulnerabilities are worth up to $100k while website bugs are basically relegated to a black-hole inbox."

Zveare's investigations began last year, with a gentle poking at an Intel India Operations-run website, which allowed authorized employees to order a set of business cards. Naturally, such a site needs access to an employee database – but, unnaturally, Intel appeared to have done a poor job at the "authorized" side of things.

Picking the Angular-framework site apart, Zveare was able to find a redirect that could be exploited to bypass the authentication requirement. From there, he found an improperly authenticated API, which was happy to throw nearly 1 GB of employee data at anyone asking for it. "Through one API request," Zveare wrote, "I just exfiltrated a wealth of detailed information" – including names, roles, manager's names, telephone numbers, and email addresses covering more than 270,000 Intel employees.

Having been alerted to the fact that maybe Intel isn't securing its web presence like it should, Zveare hunted for more targets. A "Hierarchy Management" site turned out to use client-side encryption, with a comment in the JavaScript code even pointing to a website that allows anyone to decrypt the key – "100 percent pointless," Zveare noted. With this and some hardcoded credentials, he got access to internal site providing product information, "some of which," the researcher noted, "may include unreleased products."

[5]

A "Product Onboarding" site was similarly ill-protected against attack, with hardcoded secrets providing access to a platform marked "Intel Confidential" and "For Internal Use Only," designed to add newly announced products to the company's ARK database. Worse, Zveare found a GitHub personal access token that could be used to start an automated process in an internal repository. "It's possible you could have created a rogue product on Intel ARK using this," Zveare wrote, "but I decided not to test this one."

[6]Softbank bets $2 billion on Intel having a future

[7]Trump does a 180 on Intel chief following White House meeting

[8]Intel chief Lip-Bu Tan to visit White House after Trump calls for him to step down

[9]Trump calls for Intel CEO's head over alleged China links

Zveare also gained unauthenticated access to Intel's Supplier EHS IP Management System (SEIMS), which once again provided private information on Intel employees – aided by the use of sequential employee IDs, which made it easy to iterate through the whole database. With administrative-level access, Zveare was able to browse product and document reports, Intel customer data, and even information on non-disclosure agreements they had signed.

As a responsible researcher, Zveare alerted Intel to all of the above in fall 2024 – only to be met with absolute silence. While the company runs a bug bounty program, in which researchers can earn cash payouts for information on vulnerabilities in the company's products, that program doesn't extend to its web presence. Nor, it seems, does it include common courtesy: "When you send an email to [Intel's security team], you get [an] auto-response," Zveare wrote. "That is the only official correspondence I ever received from Intel. The good news is that everything was fixed, so while the email inbox was essentially a one-way black hole, at least the reports got to the right people eventually."

[10]

[11]

Intel was asked to comment on the security holes spotted by Zveare, and a spokesperson told us: "In October 2024, an external security researcher reported a vulnerability affecting several portals. Upon notification, immediate corrective actions were taken, and full remediation was completed promptly at that time. Intel remains firmly committed to the continuous evaluation and strengthening of our security practices to protect our systems and information of our customers and employees."

It did not answer whether or not it intends to update its recently expanded bug bounty program to cover these types of vulnerabilities, nor did the company tell us whether it had notified employees and the relevant authorities as to the breaches, well-intentioned as they may have been.

[12]

The Reg asked Zveare whether he thought it was an oversight on Intel's part. He responded: "I think it's a bit strange to exclude web vulnerabilities. This disclosure shows the potential is there for serious impacts if web infrastructure is not secure. As for why there was no bounty, there's probably other factors in play (budget, staffing resources, etc) that may make it impractical for them. The good news is that if you look at their Intigriti, they are starting to offer services-related bounties, so maybe one day they will have full *.intel.com coverage. I think they absolutely should include web vulnerabilities in scope, even if they have to start with small bounties."

What should Intel have done to protect itself? Zveare says that "Unauthenticated APIs or APIs that provide too much information are surprisingly common across every industry. API vulnerabilities happen and these would have likely been caught pretty easily if there was any security review."

He added: "What is not common is such extensive use of hardcoded tokens and credentials. I think they probably did that to make development easier and with the wishful thinking that no one outside of internal users would ever stumble upon the websites, but it's not a good look when their internal developers are including these details in client-side code... it makes me wonder if such information exists in other Intel products as well."

[13]

Asked what lessons Intel - and other companies - should learn from this, he responded: "Internal websites, even if you don't link to them anywhere, can still be found. If you don't secure them, there can be dire consequences. Always extend security reviews to include these systems! And, don't use AES encryption in the client-side code. I am seeing this more and more and it's useless for security."

Finally, The Register asked whether Zveare had seen any evidence that he was not the first to find the flaws: "There were no other signs of intrusion, and I do not believe anyone else accessed data the same way I did."

Zveare's full report is available on the researcher's website. He notes that all reported vulnerabilities had been fixed prior to publication. ®

Get our [14]Tech Resources



[1] https://www.theregister.com/2018/01/04/intel_amd_arm_cpu_vulnerability/

[2] https://eaton-works.com/2025/08/18/intel-outside-hack/

[3] https://www.theregister.com/2018/01/04/intel_amd_arm_cpu_vulnerability/

[4] https://www.theregister.com/2015/01/23/we_know_computers_leak_signals_to_attackers_but_how_much/

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/personaltech&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aKWcvQjFu5hWFzbG10kwdgAAABA&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[6] https://www.theregister.com/2025/08/19/softbank_intel_investment/

[7] https://www.theregister.com/2025/08/12/trump_intel_meeting/

[8] https://www.theregister.com/2025/08/11/intel_chief_to_visit_white/

[9] https://www.theregister.com/2025/08/07/republican_senator_queries_intel_over/

[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/personaltech&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aKWcvQjFu5hWFzbG10kwdgAAABA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/personaltech&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aKWcvQjFu5hWFzbG10kwdgAAABA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/personaltech&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aKWcvQjFu5hWFzbG10kwdgAAABA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/personaltech&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aKWcvQjFu5hWFzbG10kwdgAAABA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[14] https://whitepapers.theregister.com/