Comment by larkinrichards

Exploit chain--

1. zendesk allows you to add users to a support issue and view the complete issue history by sending a response email to a guessable support email from a person associated with an issue and cc'ing the person to add.

2. Zen desk depends on a spam check for inbound email validity. This check does not appear to catch instances where sender email is spoofed. Zendesk claims this is bdue to DKIM/SPF/DMARC config but I have trouble imagining that 50% of Fortune 500 would get this wrong. There are many automated checks available.

3) Apple issues an Apple ID account to anyone who can receive a verification email Sent to the mailing address (support@company.com)

4) Slack allows you to sign in to a workspace using any Apple ID associated with the workspace domain (e.g. support@company.com)

This researcher reported #2 to hackerone and was declined. Researcher later discovered full exploit with 3 and 4. Did not update hackerone, contacted affected companies directly.

it would have been prudent to update hackerone on the additional finding, but it feels like an easy oversight for a 15 year old after getting rejected on the first round.

Zendesk should take the higher ground and recognize the mistake and correct it. Not get all "ethical mumbo jumbo."