Best Buy's Employee Login Was Visible to Everyone

Best Buy is one of the largest electronics retailers in the United States. Like most enterprises of that size, they have a sprawling internal infrastructure. Employee portals, helpdesk systems, internal tools, SSO gateways. All of it is supposed to live behind the corporate network, invisible to the outside world.

Except it was not invisible. During testing on Best Buy's bug bounty program, we found their employee authentication system fully accessible from the public internet. The login page was live, functional, and leaking information that should never be exposed externally.

The exposed system revealed 47 internal service names. That alone is a goldmine for an attacker building a map of the internal network. It also displayed the employee login interface with helpdesk contact information, giving an attacker everything they need for a convincing social engineering pretext. On top of that, internal tool URLs were visible in the page source.

This is a textbook case of internal infrastructure exposure. Somebody provisioned a service, pointed DNS at it, and never restricted access to the corporate network. It happens constantly at large organizations because nobody owns the full inventory of what is publicly reachable.

The direct risk is not that an attacker can log in. The risk is reconnaissance. Every internal service name, every helpdesk email, every tool URL gives an attacker a thread to pull. This information fuels phishing campaigns, credential stuffing attacks, and further enumeration of the internal network.

We reported this through Best Buy's Bugcrowd program. The fix is simple: restrict the authentication system to internal network access only, or put it behind a VPN. The harder problem is finding all the other internal services that are probably exposed the same way.