An extreme vulnerability in Zendesk, a widely used client service tool, has been revealed, permitting assailants to achieve unauthorized access to exposed support tickets of multiple Fortune 500 firms. The fault, found by a 15-year-old bug hunter named Daniel, manipulated Zendesk’s lack of sufficient security against email spoofing, allowing assailants to enter internal systems and access personal details.
Zendesk, a billion-dollar business authorized by big names like Cloudflare, is used by businesses to handle incoming emails and create support tickets. Regardless, the common setup of relaying all emails from a firm’s support email to Zendesk created a possible safety gap. This gap could be manipulated if an assailant acquired access to the Zendesk system, potentially permitting them to access inner systems due to Single Sign-On (SSO) designs that utilize the identical domain.
Vulnerability in Zendesk Allows Email Spoofing
The vulnerability was surprisingly easy. Zendesk’s email partnership feature permitted assaulters to add themselves to help access by sending spoofed emails. By understanding the support email address and the ticket ID, which are often easy to assume due to cumulative IDs, an attacker could emulate the authentic sender and gain full access to the ticket history.
This indicated an assailant could join any ongoing support conversation and read sensitive data, all because Zendesk lacked appropriate protection against email spoofing. Daniel reported the vulnerability through Zendesk’s bug bounty program but was originally met with a disappointing answer. The report was denied because it depended on email spoofing, which was deemed “out of scope” for their HackerOne program.
“During my reporting, I made more than $50,000 in bounties from particular corporations on HackerOne and other media,” Daniel said. Despite the safety threat, Zendesk declined to act on the report, showing Daniel to escalate the issue by showing how the bug could be used to enter the private Slack workspaces of hundreds of firms.
The exploit affected making an Apple account with a company’s support email, asking for a confirmation code, and utilizing the email spoofing bug to access the ticket Zendesk automatically begins. This let Daniel confirm the Apple account and log in to Slack utilizing the “Login with Apple” component, effectively gaining access to confidential Slack channels.
After noting the vulnerability to separate organizations, many brought immediate action to patch their models, while others claimed it was a Zendesk issue. The stress from concerned parties ultimately pushed Zendesk to manage the problem, but it took over two months to determine. Daniel earned more than $50,000 in bounties from respective organizations but obtained no credit or bounty from Zendesk, citing that he had broken HackerOne’s disclosure guidelines by communicating the vulnerability with involved institutions.
Zendesk eventually established that they had resolved the matter on July 2, 2024, by executing filters to automatically suspend individual classes of emails, including user confirmation emails sent by Apple and non-transactional emails from Google. The firm also plans to support its Sender Authentication functionality and provide clients with more developed safety authorities.
This essential defect emphasizes the significance of strong protection standards in third-party tools used by large companies. The pilgrimage to get the vulnerability selected was a frustrating combination of contradictions and slow reactions, but it highlights the important role of bug hunters in recognizing and managing safety perils.