210

hi, i'm daniel. i'm a 15-year-old with some programming experience and i do a little bug hunting in my free time. here's the insane story of how I found a single bug that affected over half of all Fortune 500 companies:

all 27 comments
sorted by: hot top controversial new old
[-] troed@fedia.io 84 points 2 months ago

Despite fixing the issue, Zendesk ultimately chose not to award a bounty for my report. Their reasoning? I had broken HackerOne's disclosure guidelines by sharing the vulnerability with affected companies

Regardless of everything else they should be kicked out from HackerOne since it's clearly Zendesk not being truthful here.

[-] elvith@feddit.org 41 points 2 months ago

I couldn’t help but find it amusing—they were now asking me to keep the report confidential, despite having initially dismissed it as out of scope.

"Sorry, but per your own guidelines this is out of scope. Because of this, this bug is not part of the agreement and guidelines on Hackerone. You can find my full disclosure, that I wrote after your dismissal here: " /s

[-] bjornsno@lemm.ee 5 points 2 months ago

I mean, that still allows zendesk to reply with "oh yeah that's also why we're not paying the bounty"

[-] elvith@feddit.org 4 points 2 months ago

Well, they did it anyways, so...

Also this might work as an answer to "yeah, it's a bug, but we won't pay you"

[-] AmbiguousProps@lemmy.today 83 points 2 months ago

The best part of this is how Zendesk's blog post claims that Zendesk discovered the issue, and then blamed the 15 year old for not following ethical principles.

[-] kalkulat@lemmy.world 62 points 2 months ago

I specially liked the part where he collected $50k by clueing the affected companies.

[-] lvxferre@mander.xyz 63 points 2 months ago

What a corporation of muppets! First dismissing the report as "not our problem lol", then as the hunter contacts affected companies the bug "magically" becomes relevant: they reopen the report, and then boss him around to not disclose it with the affected parties.

I bet that they lost way, way more than the US$2000 that they would've paid to the bug hunter. Also, I'm happy that hackermondev got many times that value from the affected companies.

[-] possiblylinux127@lemmy.zip 2 points 2 months ago

At the end of the day tens of thousands for companies is a small price to pay for something that could cost millions. As bonus this person now has a foothold in big companies. Sounds like a great way to get a well paying job.

[-] lvxferre@mander.xyz 1 points 2 months ago

Yup. And that's specially great as the boy is just 15, so he's starting his career really early.

[-] davidagain@lemmy.world 18 points 2 months ago

That was a great read, thank you for posting it here.

[-] lud@lemm.ee 13 points 2 months ago

Zendesk commented on the GitHub post with this:

Daniel points this out at the end of his post but for those looking for more details on this bug submission, our team at Zendesk posted some info here.

[-] lvxferre@mander.xyz 7 points 2 months ago

My sides went into orbit!

The way that the Github comment is phrased, it implies that the link contains additional info that hackermondev didn't mention. It doesn't - instead it contains a subset of that info, missing critical bits:

  1. That Zendesk initially dismissed hackermondev's report.
  2. That the "third parties" in question were Zendesk's clients.

Both pieces of info were omitted to back up a lie present in the text, that the bug hunter would have "violated key ethical principles". He didn't - as he noticed that Zendesk gives no flying fucks about the security issue, and that remediation was unlikely, he warned the people affected by the issue, so they can protect themselves against it.

Zendesk is not just being irresponsible - it's also being manipulative, and doubling down instead of doing the right thing ("we incorrectly dismissed that report. It was our bad. Here's your 2k.") They have no grounds to talk about ethical principles.

[-] machinin@lemmy.world 12 points 2 months ago* (last edited 2 months ago)

I didn't understand how the OP did this:

Create an Apple account with support@company.com

Is that just a spoofed email? What would be the steps to do that?

[-] Dave@lemmy.nz 52 points 2 months ago* (last edited 2 months ago)

They aren't trying to actually send from that email, they are trying to create an Apple ID that lets them log in using that email effectively as a username. And Slack will add people to the internal Slack if the email is a company email address.

To open that account, they need to prove to Apple they own the account. They sign up with Apple and say their email address is support@company.com, then Apple sends them a code to verify it's their email.

They can't actually receive the verification email, because it's not their email. That's where the exploit comes in. It's very important that this email address is the one that forwards emails to Zendesk. The verification email from Apple goes to Zendesk, then they use the exploit to see the history of the zendesk ticket, which includes the verification code.

[-] machinin@lemmy.world 7 points 2 months ago

Thanks, that's a useful description.

Pretty ingenious.

[-] possiblylinux127@lemmy.zip 9 points 2 months ago

Surprise a massive company everyone thinks is the best is not "wasting" money on security or best practices.

The best option is to leave Zendesk. We need a trend where companies lose customers when they have such bad practices

[-] skuzz@discuss.tchncs.de 9 points 2 months ago

Great write-up and great find! You'll find companies will often try to weasel out of actually honoring ethical programs more than not, but that doesn't mean give up! If nothing else, the learning will lead to long term education and basically forever employment in various fields.

[-] where_am_i@sh.itjust.works 4 points 2 months ago

Is it you, lemmy, brigading that GitHub gist? @ZendeskTeam is being is already dead, but don't worry, you can still come and give them another kick.

[-] possiblylinux127@lemmy.zip 1 points 2 months ago

Someone on the Github mentioned that @Zendeskteam may not even be official.

I doubt most of those comments are from Lemmy. Probably Reddit and other places.

[-] Moonrise2473@feddit.it -4 points 2 months ago

Trying to do the devil's advocate: Zendesk isn't a mail server and all it's doing is to organize a million messages sent to a specific address in a neater way. A spam filter is also present because every email client needs it, but spoofed mails should be rejected by the mail server, not the clients.

[-] lvxferre@mander.xyz 23 points 2 months ago* (last edited 2 months ago)

What "should be done" is irrelevant - what matters is what "is done". And plenty servers don't enforce SPF, DKIM and DMARC. (In fact not even Google and Yahoo did it, before February of this year.)

And, when you know that your product has a flaw caused by a third party not doing the right thing, and you can reasonably solve it through your craft, not solving it is being irresponsible. Doubly true if it the flaw is related to security, as in this case.

Let us learn with Nanni: when Ea-nāṣir sold him shitty copper, instead of producing shitty armour, weapons and tools that might endanger Nanni's customers, Nanni complained with Ea-nāṣir. Nanni is responsible, Zendesk isn't. [Sorry, I couldn't resist.]

[EDIT: can you muppets stop downvoting the comment above? Dave is right, Moonrise is trying to start a discussion, there's nothing wrong with it.]

[-] Dave@lemmy.nz 10 points 2 months ago

Sorry you've been downvoted for trying to start a discussion.

Is this not the swiss cheese thing? No control is perfect, so you layer them. If there is no reason why Zendesk should let this happen, then it shouldn't happen.

[-] Moonrise2473@feddit.it 2 points 2 months ago

They absolutely can and should fix it, but in the end, IMHO, it's a mail server misconfiguration coupled with a slack issue, not a Zendesk security issue

[-] Dave@lemmy.nz 0 points 2 months ago* (last edited 2 months ago)

I can see both angles of this. Especially since the original disclosure didn't have the full detail of how it could be exploited to access company systems, and they (the writeup author) never disclosed that update.

You can see how a large company (Zendesk) could miss this in the multitude of people trying to claim bug bounties. I fully believe that had they understood the issue they should have fixed it, since it's within their power and basically a service to their clients. But I can understand how the limited detail in the original disclosure demonstrated a much lower level risk than the end exploit that was never reported.

[-] davidagain@lemmy.world 14 points 2 months ago

Nah, zendesk should absolutely have recognised that gaining unauthorised read access to support ticket email chains is a massive security issue. Firstly "support email chains" accounts for proportionately nearly all the data zendesk is handling, so a vulnerability there is core to the product, not at all peripheral, and secondly, who on earth is working in tech today that doesn't know that your email is they key to all your online accounts?

Zendesk here were blatantly either stupid or in denial and treated a bug reporter as a low life enemy instead of an asset. The kid did right by any plausible moral viewpoint.

this post was submitted on 13 Oct 2024
210 points (98.2% liked)

Mildly Infuriating

35759 readers
1135 users here now

Home to all things "Mildly Infuriating" Not infuriating, not enraging. Mildly Infuriating. All posts should reflect that.

I want my day mildly ruined, not completely ruined. Please remember to refrain from reposting old content. If you post a post from reddit it is good practice to include a link and credit the OP. I'm not about stealing content!

It's just good to get something in this website for casual viewing whilst refreshing original content is added overtime.


Rules:

1. Be Respectful


Refrain from using harmful language pertaining to a protected characteristic: e.g. race, gender, sexuality, disability or religion.

Refrain from being argumentative when responding or commenting to posts/replies. Personal attacks are not welcome here.

...


2. No Illegal Content


Content that violates the law. Any post/comment found to be in breach of common law will be removed and given to the authorities if required.

That means: -No promoting violence/threats against any individuals

-No CSA content or Revenge Porn

-No sharing private/personal information (Doxxing)

...


3. No Spam


Posting the same post, no matter the intent is against the rules.

-If you have posted content, please refrain from re-posting said content within this community.

-Do not spam posts with intent to harass, annoy, bully, advertise, scam or harm this community.

-No posting Scams/Advertisements/Phishing Links/IP Grabbers

-No Bots, Bots will be banned from the community.

...


4. No Porn/ExplicitContent


-Do not post explicit content. Lemmy.World is not the instance for NSFW content.

-Do not post Gore or Shock Content.

...


5. No Enciting Harassment,Brigading, Doxxing or Witch Hunts


-Do not Brigade other Communities

-No calls to action against other communities/users within Lemmy or outside of Lemmy.

-No Witch Hunts against users/communities.

-No content that harasses members within or outside of the community.

...


6. NSFW should be behind NSFW tags.


-Content that is NSFW should be behind NSFW tags.

-Content that might be distressing should be kept behind NSFW tags.

...


7. Content should match the theme of this community.


-Content should be Mildly infuriating.

-At this time we permit content that is infuriating until an infuriating community is made available.

...


8. Reposting of Reddit content is permitted, try to credit the OC.


-Please consider crediting the OC when reposting content. A name of the user or a link to the original post is sufficient.

...

...


Also check out:

Partnered Communities:

1.Lemmy Review

2.Lemmy Be Wholesome

3.Lemmy Shitpost

4.No Stupid Questions

5.You Should Know

6.Credible Defense


Reach out to LillianVS for inclusion on the sidebar.

All communities included on the sidebar are to be made in compliance with the instance rules.

founded 2 years ago
MODERATORS