Zendesk Access Token Disclosed in a JavaScript File Allowing Ticket Access

Zendesk Access Token Disclosed in a JavaScript File Allowing Ticket Access

Introduction:

During a security assessment of a web application, I identified a critical vulnerability involving the exposure of sensitive credentials in a third-party JavaScript file.

Description:

While testing a web application, I noticed some requests made to a third-party service, Pendo.io. Specifically, the application made a request to the following URL:

https://cdn.pendo.io/agent/static/477dxxxxx-6276-4aaa-4440-xxxxxx/pendo.js.

Upon further inspection of the JavaScript file hosted at this URL, I discovered a staging agent URL:

https://content.<redacted>.com/agent/static/xxxxx9a-6276-4aaa-4440-ffe442xxxxxx/pendo-staging.js.

Within the contents of this staging file, sensitive information was inadvertently exposed, including a Zendesk access token and subdomain.

Disclosed Data:

The sensitive information disclosed in the JavaScript file is as follows:

“provider”: {
“name”: “zendesk”,
“options”: {
“subdomain”: “<redacted>”,
“token”: “xxxxxxxxxxxx-xxxxxxxxxxx11945043b18954ba”

Proof of Concept (PoC):

Using the disclosed Zendesk token, it is possible to access the Zendesk API and retrieve sensitive data such as support tickets. Below is an example of a curl command to demonstrate the issue:

curl https://<redacted>.zendesk.com/api/v2/tickets.json \ -H “Authorization: Bearer xxxxxxxxxxxx-xxxxxxxxxxx11945043b18954ba”

Executing this command in a terminal provides unauthorized access to the organization’s Zendesk support tickets.

Impact:

The exposed Zendesk access token poses a significant security risk, as it allows unauthorized access to the organization’s Zendesk support tickets. These tickets may contain:

Such access can lead to data breaches, reputational damage, and further exploitation of sensitive information.

Thanks for reading …