Bug bounty denied? Hmmm ... OK, let's see ...

Submitted ⁨⁨1⁩ ⁨month⁩ ago⁩ by ⁨kalkulat@lemmy.world⁩ to ⁨mildlyinfuriating@lemmy.world⁩

https://gist.github.com/hackermondev/68ec8ed145fcee49d2f5e2b9d2cf2e52

hi, i’m daniel. i’m a 15-year-old with some programming experience and i do a little bug hunting in my free time. here’s the insane story of how I found a single bug that affected over half of all Fortune 500 companies:

source

Comments

Sort:hotnew top

AmbiguousProps@lemmy.today ⁨1⁩ ⁨month⁩ ago
The best part of this is how Zendesk’s blog post claims that Zendesk discovered the issue, and then blamed the 15 year old for not following ethical principles.

source
- kalkulat@lemmy.world ⁨1⁩ ⁨month⁩ ago
  I specially liked the part where he collected $50k by clueing the affected companies.
  
  source
lvxferre@mander.xyz ⁨1⁩ ⁨month⁩ ago
What a corporation of muppets! First dismissing the report as “not our problem lol”, then as the hunter contacts affected companies the bug “magically” becomes relevant: they reopen the report, and then boss him around to not disclose it with the affected parties.

I bet that they lost way, way more than the US$2000 that they would’ve paid to the bug hunter. Also, I’m happy that hackermondev got many times that value from the affected companies.

source
- possiblylinux127@lemmy.zip ⁨1⁩ ⁨month⁩ ago
  At the end of the day tens of thousands for companies is a small price to pay for something that could cost millions. As bonus this person now has a foothold in big companies. Sounds like a great way to get a well paying job.
  
  source
  - lvxferre@mander.xyz ⁨1⁩ ⁨month⁩ ago
    Yup. And that’s specially great as the boy is just 15, so he’s starting his career really early.
    
    source
Moonrise2473@feddit.it ⁨1⁩ ⁨month⁩ ago
Trying to do the devil’s advocate: Zendesk isn’t a mail server and all it’s doing is to organize a million messages sent to a specific address in a neater way. A spam filter is also present because every email client needs it, but spoofed mails should be rejected by the mail server, not the clients.

source
- lvxferre@mander.xyz ⁨1⁩ ⁨month⁩ ago
  What “should be done” is irrelevant - what matters is what “is done”. And plenty servers don’t enforce SPF, DKIM and DMARC. (In fact not even Google and Yahoo did it, before February of this year.)
  
  And, when you know that your product has a flaw caused by a third party not doing the right thing, and you can reasonably solve it through your craft, not solving it is being irresponsible. Doubly true if it the flaw is related to security, as in this case.
  
  (Let us learn with Nanni: when Ea-nāṣir sold him shitty copper, instead of producing shitty armour, weapons and tools that might endanger Nanni’s customers, Nanni complained with Ea-nāṣir. Nanni is responsible, Zendesk isn’t.)
  
  source
- Dave@lemmy.nz ⁨1⁩ ⁨month⁩ ago
  Sorry you’ve been downvoted for trying to start a discussion.
  
  Is this not the swiss cheese thing? No control is perfect, so you layer them. If there is no reason why Zendesk should let this happen, then it shouldn’t happen.
  
  source
  - Moonrise2473@feddit.it ⁨1⁩ ⁨month⁩ ago
    They absolutely can and should fix it, but in the end, IMHO, it’s a mail server misconfiguration coupled with a slack issue, not a Zendesk security issue
    
    source
    -> View More Comments
davidagain@lemmy.world ⁨1⁩ ⁨month⁩ ago
That was a great read, thank you for posting it here.

source
lud@lemm.ee ⁨1⁩ ⁨month⁩ ago
Zendesk commented on the GitHub post with this:

Daniel points this out at the end of his post but for those looking for more details on this bug submission, our team at Zendesk posted some info here.

source
- lvxferre@mander.xyz ⁨1⁩ ⁨month⁩ ago
  My sides went into orbit!
  
  The way that the Github comment is phrased, it implies that the link contains additional info that hackermondev didn’t mention. It doesn’t - instead it contains a subset of that info, missing critical bits:
  
  That Zendesk initially dismissed hackermondev’s report.
  
  That the “third parties” in question were Zendesk’s clients.
  
  Both pieces of info were omitted to back up a lie present in the text, that the bug hunter would have “violated key ethical principles”. He didn’t - as he noticed that Zendesk gives no flying fucks about the security issue, and that remediation was unlikely, he warned the people affected by the issue, so they can protect themselves against it.
  
  Zendesk is not just being irresponsible - it’s also being manipulative, and doubling down instead of doing the right thing (“we incorrectly dismissed that report. It was our bad. Here’s your 2k.”) They have no grounds to talk about ethical principles.
  
  source
machinin@lemmy.world ⁨1⁩ ⁨month⁩ ago
I didn’t understand how the OP did good this:

Create an Apple account with support@company.com

Is that just a spoofed email? What would be the steps to do that?

source
- Dave@lemmy.nz ⁨1⁩ ⁨month⁩ ago
  They aren’t trying to actually send from that email, they are trying to create an Apple ID that lets them log in using that email effectively as a username.
  
  To open that account, they need to prove to Apple they own the account. They sign up with Apple and say their email address is support@company.com, then Apple sends them a code to verify it’s their email.
  
  They can’t actually verify it’s theirs, because it’s not theirs. That’s where the exploit comes in. It’s very important that this email address is the one that forwards emails to Zendesk. The verification email from Apple goes to Zendesk, then they use the exploit to see the history of the zendesk ticket, which includes the verification code.
  
  source
  - machinin@lemmy.world ⁨1⁩ ⁨month⁩ ago
    Thanks, that’s a useful description.
    
    Pretty ingenious.
    
    source
possiblylinux127@lemmy.zip ⁨1⁩ ⁨month⁩ ago
Surprise a massive company everyone thinks is the best is not “wasting” money on security or best practices.

The best option is to leave Zendesk. We need a trend where companies lose customers when they have such bad practices

source
skuzz@discuss.tchncs.de ⁨1⁩ ⁨month⁩ ago
Great write-up and great find! You’ll find companies will often try to weasel out of actually honoring ethical programs more than not, but that doesn’t mean give up! If nothing else, the learning will lead to long term education and basically forever employment in various fields.

source
where_am_i@sh.itjust.works ⁨1⁩ ⁨month⁩ ago
Is it you, lemmy, brigading that GitHub gist? @ZendeskTeam is being is already dead, but don’t worry, you can still come and give them another kick.

source
- possiblylinux127@lemmy.zip ⁨1⁩ ⁨month⁩ ago
  Someone on the Github mentioned that @Zendeskteam may not even be official.
  
  I doubt most of those comments are from Lemmy. Probably Reddit and other places.
  
  source