Comment by dgoldstein0

4 months ago

I suppose my point is "read someone else's ticket" is far from the worst case scenario here. It certainly sounds like zendesk didn't care to protect ticket contents ... Which the more I think about it is pretty egregious, as support tickets can include PII.

In general, I do expect for the folks reading hackerone reports to make some mistakes; there's a lot of people who will just run a vulnerability scanner and report all the results like they've done something useful. Sometimes for real bugs you have to explain the impact with a good "look what I can do with this."

Also, the poster didn't share their submission with us, just the responses. So it's hard to know how clear they were to zendesk. A good bug with a bag explanation o would not expect to get paid

1 comment

dgoldstein0

Reply
mmsc  4 months ago

>Sometimes for real bugs you have to explain the impact with a good "look what I can do with this."

I'm not sure. Anybody that keeps up to date with security (e.g. those working in a security team) should know that ticketing systems also contains credentials sometimes. For example when Okta was breached, the main concern was that Okta support tickets contain.... session tokens, cookies, and credentials!

https://www.bleepingcomputer.com/news/security/okta-says-its...

What's the point of having a security team that can't directly link external experience to their own system? Learning the same mistakes that have already been known?