A severe vulnerability in Zendesk, a widely used customer service tool, has been exposed, allowing attackers to gain unauthorized access to sensitive support tickets of numerous Fortune 500 companies.
The flaw, discovered by a 15-year-old bug hunter named Daniel, exploited Zendesk’s lack of effective protection against email spoofing, enabling attackers to infiltrate internal systems and access confidential information.
Zendesk, a billion-dollar company trusted by big names like Cloudflare, is used by companies to manage incoming emails and create support tickets.
However, the common setup of forwarding all emails from a company’s support email to Zendesk created a potential security gap.
This gap could be exploited if an attacker gained access to the Zendesk system, potentially allowing them to access internal systems due to Single Sign-On (SSO) configurations that use the same domain.
Analyse Any Suspicious Files With ANY.RUN: Intergarte With You Security Team -> Try for Free
Zendesk Email Spoofing Vulnerability
The vulnerability was surprisingly simple. Zendesk’s email collaboration feature allowed attackers to add themselves to support tickets by sending spoofed emails.
By knowing the support email address and the ticket ID, which are often easy to guess due to incremental IDs, an attacker could impersonate the original sender and gain full access to the ticket history.
This meant an attacker could join any ongoing support conversation and read sensitive information, all because Zendesk lacked proper safeguards against email spoofing.
Daniel reported the vulnerability through Zendesk’s bug bounty program but was initially met with a disappointing response.
The report was rejected because it relied on email spoofing, which was considered “out of scope” for their HackerOne program.
“During my reporting, I earned more than $50,000 in bounties from individual companies on HackerOne and other platforms,” Daniel said.
Despite the security risk, Zendesk refused to act on the report, leading Daniel to escalate the issue by demonstrating how the bug could be used to infiltrate the private Slack workspaces of hundreds of companies.
The exploit involved creating an Apple account with a company’s support email, requesting a verification code, and using the email spoofing bug to access the ticket Zendesk automatically creates.
This allowed Daniel to verify the Apple account and log in to Slack using the “Login with Apple” feature, effectively gaining access to private Slack channels.
After reporting the vulnerability to individual companies, many took immediate action to patch their instances, while others argued it was a Zendesk issue.
The pressure from affected companies eventually forced Zendesk to address the issue, but it took over two months to resolve.
Daniel earned more than $50,000 in bounties from individual companies but received no recognition or bounty from Zendesk, citing that he had broken HackerOne’s disclosure guidelines by sharing the vulnerability with affected companies.
Zendesk finally confirmed that they had fixed the issue on July 2, 2024, by implementing filters to automatically suspend certain classes of emails, including user verification emails sent by Apple and non-transactional emails from Google.
The company also plans to strengthen their Sender Authentication functionality and provide customers with more advanced security controls.
This critical flaw highlights the importance of robust security measures in third-party tools used by large corporations.
The journey to get the vulnerability fixed was a frustrating mix of rejections and slow responses, but it underscores the crucial role of bug hunters in identifying and addressing security risks.
How to Choose an ultimate Managed SIEM solution for Your Security Team -> Download Free Guide(PDF)