hi, i’m daniel. i’m a 15-year-old with some programming experience and i do a little bug hunting in my free time. here’s the insane story of how I found a single bug that affected over half of all Fortune 500 companies:

  • Lvxferre [he/him]@mander.xyz
    link
    fedilink
    English
    arrow-up
    49
    ·
    9 months ago

    What a corporation of muppets! First dismissing the report as “not our problem lol”, then as the hunter contacts affected companies the bug “magically” becomes relevant: they reopen the report, and then boss him around to not disclose it with the affected parties.

    I bet that they lost way, way more than the US$2000 that they would’ve paid to the bug hunter. Also, I’m happy that hackermondev got many times that value from the affected companies.

  • lud@lemm.ee
    link
    fedilink
    English
    arrow-up
    12
    ·
    9 months ago

    Zendesk commented on the GitHub post with this:

    Daniel points this out at the end of his post but for those looking for more details on this bug submission, our team at Zendesk posted some info here.

    • Lvxferre [he/him]@mander.xyz
      link
      fedilink
      English
      arrow-up
      6
      ·
      9 months ago

      My sides went into orbit!

      The way that the Github comment is phrased, it implies that the link contains additional info that hackermondev didn’t mention. It doesn’t - instead it contains a subset of that info, missing critical bits:

      1. That Zendesk initially dismissed hackermondev’s report.
      2. That the “third parties” in question were Zendesk’s clients.

      Both pieces of info were omitted to back up a lie present in the text, that the bug hunter would have “violated key ethical principles”. He didn’t - as he noticed that Zendesk gives no flying fucks about the security issue, and that remediation was unlikely, he warned the people affected by the issue, so they can protect themselves against it.

      Zendesk is not just being irresponsible - it’s also being manipulative, and doubling down instead of doing the right thing (“we incorrectly dismissed that report. It was our bad. Here’s your 2k.”) They have no grounds to talk about ethical principles.

  • where_am_i@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    2
    ·
    9 months ago

    Is it you, lemmy, brigading that GitHub gist? @ZendeskTeam is being is already dead, but don’t worry, you can still come and give them another kick.

  • Moonrise2473@feddit.it
    link
    fedilink
    English
    arrow-up
    10
    arrow-down
    14
    ·
    9 months ago

    Trying to do the devil’s advocate: Zendesk isn’t a mail server and all it’s doing is to organize a million messages sent to a specific address in a neater way. A spam filter is also present because every email client needs it, but spoofed mails should be rejected by the mail server, not the clients.

    • Lvxferre [he/him]@mander.xyz
      link
      fedilink
      English
      arrow-up
      17
      ·
      edit-2
      9 months ago

      What “should be done” is irrelevant - what matters is what “is done”. And plenty servers don’t enforce SPF, DKIM and DMARC. (In fact not even Google and Yahoo did it, before February of this year.)

      And, when you know that your product has a flaw caused by a third party not doing the right thing, and you can reasonably solve it through your craft, not solving it is being irresponsible. Doubly true if it the flaw is related to security, as in this case.

      Let us learn with Nanni: when Ea-nāṣir sold him shitty copper, instead of producing shitty armour, weapons and tools that might endanger Nanni’s customers, Nanni complained with Ea-nāṣir. Nanni is responsible, Zendesk isn’t. [Sorry, I couldn’t resist.]

      [EDIT: can you muppets stop downvoting the comment above? Dave is right, Moonrise is trying to start a discussion, there’s nothing wrong with it.]