A Zendesk vulnerability allowed a cyber attacker to access sensitive customer information.
Working with HackerOne – a platform where ethical hackers test companies’ cybersecurity defenses for weaknesses – a 15-year-old bug hunter named Daniel was able to gain unauthorized access to multiple customer support tickets.
In a blog shared on X, Daniel detailed how he was able to locate and expose the flaw in Zendesk’s system.
1 Bug, $50K+ in bounties: how Zendesk left a backdoor in hundreds of companies #bugbountytips https://t.co/8pkfFsXRWR
— daniel (@hackermondev) October 11, 2024
Arguably, the most worrying concern for Zendesk and its users is the simplicity of the vulnerability.
Daniel highlighted inadequacies in Zendesk’s email collaboration feature, which left the vendor susceptible to email spoofing.
All prospective attackers needed was the support email address and the ticket ID, which is often predictable due to the use of sequential IDs.
They could then send emails from the original requestor’s address and copy themselves in, giving them unauthorized access to support tickets.
The lack of protection against spoofing attacks meant that the security systems of companies using single sign-on configurations could easily be bypassed, allowing attackers to join any active support conversation and access sensitive customer information.
But the vulnerability didn’t end there.
In order to outline the severity of the flaw, Daniel also showed how it could be used to access the private Slack workspaces of the companies deploying Zendesk’s system.
By creating an Apple account with a company’s support email and requesting a verification code, Daniel was able to use the spoofing email security gap to access the Zendesk support ticket.
The bug-hunter could then use the ‘Login with Apple’ feature to gain access to private Slack channels, where he could once again get his hands on confidential information.
So, given the seriousness of the would-be breach, how did Zendesk respond?
Zendesk’s Response
Despite Daniel having successfully exploited a security flaw in Zendesk’s system, when he reported the issue through the company’s bug bounty program it was rejected.
In a screenshot of the email chain with Zendesk released by Daniel, the company stated as follows:
“While we acknowledge that the ability to gain unauthorized access to support tickets is a serious matter, Zendesk’ policy explicitly lists “SPF, DKIM, DMARC issues” under the Bounty Ineligible Issues section.
Since the root cause of this vulnerability involves email spoofing by bypassing those email authentication protocols, it falls squarely into the excluded issues per the policy.
It was this reply that led to Daniel exposing the additional Slack vulnerability at the time, as well as taking his findings to some of the individual companies using Zendesk’s tech.
In doing so, the teenage bug-hunter secured over $50,000 in bounties from these companies, but not a penny from Zendesk.
In July of this year, the vendor did, however, confirm that it had resolved the issue by introducing filters to automatically block certain types of emails, including Apple user verification emails and non-transactional emails from Google.
Since Daniel released his blog detailing the email spoofing flaw and his communications with Zendesk, the company has also responded in a post uploaded to its Zendesk Help webpage.
In the post, Sean Cusick, Zendesk Product Manager, emphasizes that there is “no evidence that this vulnerability was exploited by a bad actor.”
In clarifying what he terms the “supply chain vulnerability,” Cusick explains that this is a common security issue that many companies face due to the integration of modern business tools.
He also advises that while the flaw has been resolved, Zendesk customers should “implement best practices around user verification,” such as using two-step authentication, utilizing subdomains for support emails, and securing third-party systems that manage sensitive information.
Finally, Cusick directly addresses Daniel’s criticisms of Zendesk’s bounty program, stating that he “violated key ethical principles by directly contacting third parties about their report prior to remediation.
This was in violation of bug bounty terms of service, which are industry standard and intended to protect the white hat community while also supporting responsible disclosure.
“This breach of trust resulted in the forfeiture of their reward, as we maintain strict standards for responsible disclosure.”
 
                                                                      
                                             
         
         
         
         
        