A critical vulnerability in Zendesk, a popular customer service platform, has been uncovered, allowing attackers to gain unauthorized access to sensitive support tickets belonging to multiple Fortune 500 companies. The flaw was identified by a 15-year-old bug hunter named Daniel, who exploited Zendesk’s inadequate defenses against email spoofing. This vulnerability enabled attackers to penetrate Zendesk’s internal systems and access confidential information.
Zendesk, a billion-dollar company trusted by major organizations like Cloudflare, is widely used to manage customer service requests by creating support tickets from incoming emails. However, the typical setup of forwarding all support emails to Zendesk opened up a significant security loophole.
This loophole could be leveraged by attackers who infiltrate the Zendesk system. If the system is configured with Single Sign-On (SSO) that utilizes the same domain, attackers might also gain access to internal systems, significantly expanding the impact of the breach.
Zendesk Email Spoofing Vulnerability
The vulnerability in Zendesk’s system was surprisingly straightforward. It stemmed from the platform’s email collaboration feature, which allowed attackers to join support tickets by sending spoofed emails. By simply knowing the support email address and the ticket ID—often predictable due to incremental numbering—an attacker could impersonate the original sender, gaining full access to the ticket history and ongoing support conversations. This significant flaw existed because Zendesk lacked proper defenses against email spoofing.
When Daniel, the 15-year-old bug hunter who discovered the flaw, reported it through Zendesk’s bug bounty program on HackerOne, his findings were initially dismissed. Zendesk rejected the report, stating that email spoofing was considered “out of scope” for their HackerOne program. Despite the setback, Daniel had already earned over $50,000 in bounties from other companies through similar reports on HackerOne and other platforms.
Frustrated by Zendesk’s inaction, Daniel escalated the issue by demonstrating how the vulnerability could be used to infiltrate the private Slack workspaces of numerous companies. He achieved this by creating an Apple account with a company’s support email, requesting a verification code, and then exploiting the email spoofing flaw to access the ticket that Zendesk automatically generates. This method enabled him to verify the Apple account and use the “Login with Apple” feature to access private Slack channels.
Many affected companies took immediate steps to patch their systems after Daniel reported the issue to them directly, although some argued that the responsibility lay with Zendesk to fix the root cause. Under pressure from these companies, Zendesk eventually addressed the flaw, but it took over two months to implement a fix.
Zendesk confirmed on July 2, 2024, that they had resolved the issue by implementing filters to suspend specific classes of emails, including user verification messages from Apple and non-transactional emails from Google. The company also announced plans to enhance its Sender Authentication functionality and provide more advanced security controls for customers.
Despite his efforts, Daniel received no bounty or recognition from Zendesk, as they claimed he had violated HackerOne’s disclosure guidelines by sharing the vulnerability details with affected companies. This situation highlights the often challenging journey bug hunters face when reporting vulnerabilities and the critical role they play in identifying and resolving security flaws in third-party tools used by major corporations.