A developer found a bug in Zendesk that allowed them to view other people’s tickets, but never got rewarded
The 15-year-old developer said that he found a bug in the Zendesk service, which allowed hackers to view the service’s customer support tickets. At the same time, according to the developer, Zendesk representatives twice refused to pay the reward.
To access someone else’s tickets, you had to send a specially created email to the Zendesk-powered support email address. It turned out that the service did not have a system to protect against e-mail substitution. In this way, attackers could gain access to the tickets of any company that uses Zendesk services. Almost half of the Fortune 500 list is at risk.
The developer reported the bug through the HackerOne program, but company representatives told him that the vulnerability was not part of the program, so it would not be patched. He was also refused a reward.
The young developer decided he would share the bug directly with Zendesk customers so they could turn off security. He was paid a monetary reward for reporting the vulnerability, and in total he earned more than $50,000. After that, the developer was contacted by representatives of Zendesk and asked not to tell anyone else about the vulnerability.
In July 2024, Zendesk engineers fixed the bug, and the developer again asked for a reward. The company turned him down again, but this time citing the fact that he disclosed the vulnerability to third parties, which is a violation of the bug-finding program.