Comment on Bug bounty denied? Hmmm ... OK, let's see ...
Dave@lemmy.nz 2 months agoThey aren’t trying to actually send from that email, they are trying to create an Apple ID that lets them log in using that email effectively as a username.
To open that account, they need to prove to Apple they own the account. They sign up with Apple and say their email address is support@company.com, then Apple sends them a code to verify it’s their email.
They can’t actually verify it’s theirs, because it’s not theirs. That’s where the exploit comes in. It’s very important that this email address is the one that forwards emails to Zendesk. The verification email from Apple goes to Zendesk, then they use the exploit to see the history of the zendesk ticket, which includes the verification code.
machinin@lemmy.world 2 months ago
Thanks, that’s a useful description.
Pretty ingenious.