Exploiting Exposed Zendesk API Token for Full Support Desk Access for $1000
Investigating GitHub leaks, we were hunting on a private program on HackerOne.
During our search, we discovered that the program was using Zendesk as its support desk service. While reviewing their company GitHub repository, we found a .zat file that exposed a Zendesk token/password. (For context, API tokens are different from OAuth tokens; API tokens are auto-generated passwords available in the Support admin interface.)
{
"subdomain":"target",
"username":"support@target.com/token",
"password":"fwf4534535tertrterterty57564"
}We referred to the Zendesk documentation to understand how to use this token/password, and we found:
curl https://target.zendesk.com/api/v2/users.json \ -u support@target.com/token:fwf4534535tertrterterty57564With this token/password, we were able to access sensitive endpoints such as /api/v2/users.json, exposing all users, and /api/v2/tickets.json, revealing user-generated tickets. Additionally, we gained full access to their support desk at https://target.zendesk.com.
We have documented our findings in the Keyhacks repository, which you can view at https://github.com/streaak/keyhacks#Zendesk-api-key.
