| Exploit chain-- 1. zendesk allows you to add users to a support issue and view the complete issue history by sending a response email to a guessable support email from a person associated with an
issue and cc'ing the person to add. 2. Zen desk depends on a spam check for inbound email validity. This check does not appear to catch instances where sender email is spoofed. Zendesk claims this is bdue to DKIM/SPF/DMARC config but I have trouble imagining that 50% of Fortune 500 would get this wrong. There are many automated checks available. 3) Apple issues an Apple ID account to anyone who can receive a verification email
Sent to the mailing address (support@company.com) 4) Slack allows you to sign in to a workspace using any Apple ID associated with the workspace domain (e.g. support@company.com) This researcher reported #2 to hackerone and was declined. Researcher later discovered full exploit with
3 and 4. Did not update hackerone, contacted affected companies directly. it would have been prudent to update hackerone on the additional finding, but it feels like an easy oversight for a 15 year old after getting rejected on the first round. Zendesk should take the higher ground and recognize the mistake and correct it. Not get all "ethical mumbo jumbo." |
I'm not 15, but since you ignore(d) me - game over.