“hi, i’m daniel. i’m a 15-year-old with some programming experience and i do a little bug hunting in my free time. here’s the insane story of how I found a single bug that affected over half of all Fortune 500 companies: say hello to zendesk – If you’ve spent some time online, you’ve probably come across Zendesk. Zendesk is a customer service tool used by some of the world’s top companies. It’s easy to set up: you link it to your company’s support email (like [email protected]), and Zendesk starts managing incoming emails and creating tickets. You can handle these tickets yourself or have a support team do it for you. Zendesk is a billion-dollar company, trusted by big names like Cloudflare. Personally, I’ve always found it surprising that these massive companies, worth billions, rely on third-party tools like Zendesk instead of building their own in-house ticketing systems. your weakest link – As the saying goes, “You’re only as strong as your weakest link.” Since Zendesk is just seen as a basic ticketing tool, companies often set it up without much thought. The most common setup I’ve seen is is forwarding all emails from [email protected] to Zendesk.

Why is that dangerous? Many companies use their @company.com domain for Single Sign-On (SSO), which lets employees quickly log in to internal tools. By connecting Zendesk to the same domain, companies unknowingly create a potential security gap. Zendesk handles all emails for the domain it’s configured for, which means if your SSO system doesn’t properly validate email addresses, anyone who gains access to your Zendesk could potentially exploit this and access your internal systems. (I’ll explain more on this later.)…”