Exploiting Exposed Zendesk API Token for Full Support Desk Access for $1000

sushantdhopat
1 min readNov 4, 2024

--

Investigating GitHub leaks, we were hunting on a private program on HackerOne.

During our search, we discovered that the program was using Zendesk as its support desk service. While reviewing their company GitHub repository, we found a .zat file that exposed a Zendesk token/password. (For context, API tokens are different from OAuth tokens; API tokens are auto-generated passwords available in the Support admin interface.)

{
"subdomain":"target",
"username":"support@target.com/token",
"password":"fwf4534535tertrterterty57564"
}

We referred to the Zendesk documentation to understand how to use this token/password, and we found:

curl https://target.zendesk.com/api/v2/users.json \  -u support@target.com/token:fwf4534535tertrterterty57564

With this token/password, we were able to access sensitive endpoints such as /api/v2/users.json, exposing all users, and /api/v2/tickets.json, revealing user-generated tickets. Additionally, we gained full access to their support desk at https://target.zendesk.com.

We have documented our findings in the Keyhacks repository, which you can view at https://github.com/streaak/keyhacks#Zendesk-api-key.

--

--

sushantdhopat
sushantdhopat

Written by sushantdhopat

Just do epic hacks. Hunting bugs for coffee. Living the doepichack dream.

No responses yet