hi, i’m daniel. i’m a 15-year-old with some programming experience and i do a little bug hunting in my free time. here’s the insane story of how I found a single bug that affected over half of all Fortune 500 companies:
The best part of this is how Zendesk’s blog post claims that Zendesk discovered the issue, and then blamed the 15 year old for not following ethical principles.
I specially liked the part where he collected $50k by clueing the affected companies.
Despite fixing the issue, Zendesk ultimately chose not to award a bounty for my report. Their reasoning? I had broken HackerOne’s disclosure guidelines by sharing the vulnerability with affected companies
Regardless of everything else they should be kicked out from HackerOne since it’s clearly Zendesk not being truthful here.
I couldn’t help but find it amusing—they were now asking me to keep the report confidential, despite having initially dismissed it as out of scope.
“Sorry, but per your own guidelines this is out of scope. Because of this, this bug is not part of the agreement and guidelines on Hackerone. You can find my full disclosure, that I wrote after your dismissal here: <Link>” /s
I mean, that still allows zendesk to reply with “oh yeah that’s also why we’re not paying the bounty”
Well, they did it anyways, so…
Also this might work as an answer to “yeah, it’s a bug, but we won’t pay you”
deleted by creator
Sounds like they just didn’t want to pay this guy. That is so dumb as if they lose even a few customers they are going to be in negative. They should of paid him and then turned this into a PR positive.
What a corporation of muppets! First dismissing the report as “not our problem lol”, then as the hunter contacts affected companies the bug “magically” becomes relevant: they reopen the report, and then boss him around to not disclose it with the affected parties.
I bet that they lost way, way more than the US$2000 that they would’ve paid to the bug hunter. Also, I’m happy that hackermondev got many times that value from the affected companies.
At the end of the day tens of thousands for companies is a small price to pay for something that could cost millions. As bonus this person now has a foothold in big companies. Sounds like a great way to get a well paying job.
Yup. And that’s specially great as the boy is just 15, so he’s starting his career really early.
That was a great read, thank you for posting it here.
Zendesk commented on the GitHub post with this:
Daniel points this out at the end of his post but for those looking for more details on this bug submission, our team at Zendesk posted some info here.
My sides went into orbit!
The way that the Github comment is phrased, it implies that the link contains additional info that hackermondev didn’t mention. It doesn’t - instead it contains a subset of that info, missing critical bits:
- That Zendesk initially dismissed hackermondev’s report.
- That the “third parties” in question were Zendesk’s clients.
Both pieces of info were omitted to back up a lie present in the text, that the bug hunter would have “violated key ethical principles”. He didn’t - as he noticed that Zendesk gives no flying fucks about the security issue, and that remediation was unlikely, he warned the people affected by the issue, so they can protect themselves against it.
Zendesk is not just being irresponsible - it’s also being manipulative, and doubling down instead of doing the right thing (“we incorrectly dismissed that report. It was our bad. Here’s your 2k.”) They have no grounds to talk about ethical principles.
I didn’t understand how the OP did this:
Create an Apple account with support@company.com
Is that just a spoofed email? What would be the steps to do that?
Surprise a massive company everyone thinks is the best is not “wasting” money on security or best practices.
The best option is to leave Zendesk. We need a trend where companies lose customers when they have such bad practices
Great write-up and great find! You’ll find companies will often try to weasel out of actually honoring ethical programs more than not, but that doesn’t mean give up! If nothing else, the learning will lead to long term education and basically forever employment in various fields.
Is it you, lemmy, brigading that GitHub gist? @ZendeskTeam is being is already dead, but don’t worry, you can still come and give them another kick.
Someone on the Github mentioned that @Zendeskteam may not even be official.
I doubt most of those comments are from Lemmy. Probably Reddit and other places.
