Exploiting Exposed Zendesk API Token for Full Support Desk Access

Written by doepichack

November 15, 2024

Investigating GitHub leaks, we were hunting on a private program on HackerOne.

During our search, we discovered that the program was using Zendesk as its support desk service. While reviewing their company GitHub repository, we found a .zat file that exposed a Zendesk token/password. (For context, API tokens are different from OAuth tokens; API tokens are auto-generated passwords available in the Support admin interface.)

{
"subdomain":"target",
"username":"support@target.com/token",
"password":"fwf4534535tertrterterty57564"
}

We referred to the Zendesk documentation to understand how to use this token/password, and we found:

curl https://target.zendesk.com/api/v2/users.json \  -u support@target.com/token:fwf4534535tertrterterty57564

With this token/password, we were able to access sensitive endpoints such as /api/v2/users.json, exposing all users, and /api/v2/tickets.json, revealing user-generated tickets. Additionally, we gained full access to their support desk at https://target.zendesk.com.

We have documented our findings in the Keyhacks repository, which you can view at https://github.com/streaak/keyhacks#Zendesk-api-key.

You May Also Like…

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *