.png)
2 weeks ago
20 BOOK THIS SPACE FOR AD
ARTICLE AD
The small story we are hunting on a private program of HackerOne and checking GitHub leak
The program is using zendesk service for the support desk so we got a .zat file on their company GitHub repo there have exposed zendesk token/password [API tokens are different from OAuth tokens, API tokens are auto-generated passwords in the Support admin interface.
{"subdomain":"target",
"username":"support@target.com/token",
"password":"fwf4534535tertrterterty57564"
}
We just checked on zendesk doc how to use this token /password and we got
curl https://target.zendesk.com/api/v2/users.json \ -u support@target.com/token:fwf4534535tertrterterty57564Now with this token/password, we are able to expose all users /api/v2/users.json and user-generated tickets /api/v2/tickets.json etc also, we get full access to their support desk https://target.zendesk.com
We have added our findings on Keyhack repo you can get at https://github.com/streaak/keyhacks#Zendesk-api-key
Bengali (Bangladesh) · 
English (United States) ·