1 bug, $50,000+ in bounties, how Zendesk intentionally left a backdoor in hundreds of Fortune 500 companies
gist.github.com
1 bug, $50,000+ in bounties, how Zendesk intentionally left a backdoor in hundreds of Fortune 500 companies - zendesk.md

hi, i’m daniel. i’m a 15-year-old with some programming experience and i do a little bug hunting in my free time. here’s the insane story of how I found a single bug that affected over half of all Fortune 500 companies:

  • Lvxferre@mander.xyzEnglish
    18·
    9 hours ago

    What “should be done” is irrelevant - what matters is what “is done”. And plenty servers don’t enforce SPF, DKIM and DMARC. (In fact not even Google and Yahoo did it, before February of this year.)

    And, when you know that your product has a flaw caused by a third party not doing the right thing, and you can reasonably solve it through your craft, not solving it is being irresponsible. Doubly true if it the flaw is related to security, as in this case.

    Let us learn with Nanni: when Ea-nāṣir sold him shitty copper, instead of producing shitty armour, weapons and tools that might endanger Nanni’s customers, Nanni complained with Ea-nāṣir. Nanni is responsible, Zendesk isn’t. [Sorry, I couldn’t resist.]