The unexpected bounty: A story of Zendesk takeover on REDACTED.com

wis4nggeni
Jan 25 · 3 min read

It all started with a Linkedin Connection Request.

The Person‘s bio says that she work as a Talent Acquisition Specialist on a company, REDACTED.com. Me, after got a duplicate on my previous report about XSS, decided to take a break from my main targets and check this REDACTED.com instead.

After some subdomain enumerations, i found something interesting on support.REDACTED.REDACTED.com. When i tried to access the mentioned subdomain, i got the following page:

It looks like the subdomain is pointing to a zendesk help center page which is not claimed or no longer exists. Using dig command, I got the CNAME record.

After reading zendesk documentation, i successfully register a new account and taken over the subdomain. I was also able to get stored XSS by enabling the SSL to stop the redirect, then make a guide html page with an xss payload.

I didn’t report it immediately, because they don’t have Bug Bounty Program and i can’t find any contact related to security on their website. Days later, i received a couple of tickets (around 10) from their customers, turns out this zendesk portal is still being used, and tickets from their customers is being forwarded to this portal from the main(another) website.

hmm…

I decided to ask the Talent Acquisition Specialist from the Linkedin, where I could report this vulnerability? She gave me an Email of their Security Team and I immediately report this vulnerability because my email flooded with tickets from their customers.

I was just being a good guy and sent this report without expecting anything in return because I know they didn’t have a Bug Bounty Program, and a simple “Thank You.” would be very enough.

But to my surprise, they decided to rewards me with bounty. Well, the unexpected money is the best money. :D

This is the fastest bounty I’ve ever received so far (more or less a week after report sent), and also mark my first bounty in 2020.

Timeline:

  • January 17 2020: Report sent.
  • January 20 2020: Report validated with High severity, they asked me my bank details to send the bounty rewards.
  • January 23 2020: $$$ paid, disclosure request approved.

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

wis4nggeni

Written by

A Bug Bounty Hunter from Indonesia, with years of experience as a Software Engineer. Feel free to contact me anytime : https://t.me/wis4nggeni.

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade