Zendesk Mega Backdoor

TL;DR

Zendesk’s auto-collaboration feature treated CC recipients as ticket collaborators, effectively granting access when email sender identity could be spoofed.

Briefing Cornell Notes

Briefing

Zendesk’s email-to-ticket system let attackers use email spoofing to “join” other companies’ support conversations—then pivot that access into Slack account takeovers for hundreds of Fortune 500 organizations. The core failure was how Zendesk handled CC’d collaborators: when an attacker impersonated a legitimate sender and CC’d their own address, Zendesk automatically added them to the ticket and granted access to the full ticket history.

The mechanism hinged on predictable support addresses and incremental ticket IDs. Zendesk creates a unique reply address in the form of support+<ticketID>@<company-domain>.com, so future replies route back to the same ticket thread. If an attacker could guess the support email address and the ticket ID (often incremental and therefore brute-forceable), they could send a crafted spoofed email that impersonated the original requester and CC’d the attacker. Zendesk treated the email as legitimate, added the attacker as a collaborator, and exposed sensitive customer support details through the Zendesk portal.

That wasn’t the end of the problem. Many enterprises use Zendesk alongside Slack single sign-on on the same domain. A separate researcher had previously shown how Zendesk could be used to infiltrate private Slack workspaces by completing email verification flows through Zendesk’s support portal. In this account, the 15-year-old bug hunter replicated and scaled the approach by combining the Zendesk spoofing weakness with the way Slack verification emails work.

The attack path differed by identity provider. Google’s verification emails were blocked from becoming Zendesk tickets (notably from no-reply@ addresses), which disrupted the exploit. Apple’s verification emails, however, came from an address format that Zendesk did not block, allowing the attacker to receive verification codes via Zendesk ticket creation and then log into Slack using “Login with Apple.” With the right setup, the researcher reported reproducing the workflow across roughly a hundred vulnerable Zendesk + Slack instances, effectively enabling unauthorized access to internal Slack workspaces.

The reporting process became its own controversy. Zendesk initially marked the email-spoofing issue as out of scope for its HackerOne bug bounty, citing SPF/DKIM/DMARC-related exclusions. After additional pressure and follow-up—especially once companies contacted Zendesk and demanded actionable details—Zendesk confirmed fixes. By July 2, 2024, Zendesk described changes including switching to spam analysis when ticket threading triggers, and adding filters to suspend certain classes of emails such as Apple user verification messages based on reply-to and message-id headers, plus non-transactional Google Workspace emails.

The dispute also included the bounty award itself. Zendesk later said it forfeited the researcher’s award after alleged violations of disclosure terms, including contacting third parties before remediation. The account ends with lingering concern: even after remediation efforts, the broader lesson remained that small trust decisions in email handling—especially around spoofing and collaborator auto-add—can cascade into account compromise across connected enterprise tools.

Cornell Notes

Zendesk’s email-to-ticket workflow allowed attackers to exploit predictable support addresses and incremental ticket IDs. By spoofing the original sender and CC’ing themselves, attackers could get automatically added as ticket collaborators and read full ticket histories. The researcher then combined this access with Slack SSO/email verification flows—especially those involving Apple verification emails—to take over private Slack workspaces across many organizations. Zendesk initially treated the core issue as out of scope for its bug bounty due to SPF/DKIM/DMARC exclusions, later implemented mitigations (spam scoring and email-type filtering), and ultimately disputed the researcher’s disclosure conduct. The episode highlights how email trust boundaries can become a gateway to cross-system compromise.

How did Zendesk’s ticketing design make email spoofing useful to an attacker?

Zendesk generated a unique reply address for each ticket in the pattern support+<ticketID>@<company-domain>.com, so replies routed back to the same ticket thread. If an attacker knew the support email address and the ticket ID (often incremental), they could send a crafted email that impersonated the original requester and CC’d the attacker. Zendesk then treated the message as legitimate, automatically added the attacker to the ticket collaboration list, and granted access to the ticket’s full history in the support portal.

Why did CC-based collaboration become a security gap rather than a convenience feature?

CC was effectively an authorization mechanism. When Zendesk automatically added CC’d recipients to the ticket, it turned “being CC’d” into “being granted access,” even when the email’s sender identity could be spoofed. Without strong sender authentication checks for these flows, an attacker could impersonate a trusted party and use CC to escalate from outsider to collaborator.

What role did Slack SSO and email verification play in turning ticket access into workspace takeover?

Many companies connect Slack SSO to the same domain used for Zendesk support. With access to Zendesk ticket creation and email handling, an attacker could route verification emails through Zendesk and capture the codes needed to authenticate to Slack. The researcher’s approach relied on the ability to receive verification messages as Zendesk-created tickets, then use those codes to log into Slack as the target domain’s user.

Why did the exploit work differently for Google versus Apple verification emails?

Google verification emails were blocked from being automatically created as Zendesk tickets when they came from no-reply@ addresses, preventing the attacker from receiving the needed codes through Zendesk. Apple’s verification emails, sent from an Apple ID address format (e.g., appleid.app… to support-company.com), were not blocked in the same way, allowing the attacker to receive verification codes via Zendesk tickets and complete Slack login.

What mitigations did Zendesk describe after confirming the issue?

Zendesk said it used two spam filters (Cloudmark and RSpamD) to score messages and suspend suspicious ones. In the fix, Zendesk implemented logic to automatically switch to spam analysis when ticket threading is triggered, and added filters to automatically suspend certain email classes—specifically Apple user verification emails based on reply-to and message-id header values, and non-transactional Google Workspace emails from reply.com. Zendesk also said it planned further sender-authentication controls over which emails get suspended or rejected.

Why was the initial bug bounty submission treated as out of scope?

Zendesk’s HackerOne policy excluded issues tied to SPF/DKIM/DMARC problems. Zendesk categorized the root cause as bypassing email authentication protocols, so the submission was marked “informative” and not eligible for bounty payout. Later, Zendesk also disputed the researcher’s conduct regarding disclosure timing and direct outreach to third parties before remediation, leading to forfeiture of an award.

Review Questions

What specific Zendesk behavior turned CC’d email recipients into authorized ticket collaborators?
How do predictable ticket IDs and support+<ticketID> reply addresses enable brute-force or targeted exploitation?
Why might an attacker prefer Apple verification emails over Google’s in this Zendesk-to-Slack attack chain?

Key Points

1
Zendesk’s auto-collaboration feature treated CC recipients as ticket collaborators, effectively granting access when email sender identity could be spoofed.
2
Predictable support addresses and incremental ticket IDs made it feasible to target specific ticket threads using support+<ticketID>@<domain> reply routing.
3
Ticket access could be escalated into Slack workspace compromise when Slack SSO/email verification flows were tied to the same domain and could be routed through Zendesk.
4
Google verification emails were blocked from Zendesk ticket creation in the described reproduction, while Apple verification emails were not, enabling the Apple-based login path.
5
Zendesk’s post-confirmation mitigations focused on spam scoring during ticket threading and suspending specific categories of verification and non-transactional emails.
6
Zendesk’s bug bounty process initially excluded the core issue as out of scope due to SPF/DKIM/DMARC-related policy language, later adding disputes about disclosure conduct and award forfeiture.

Highlights

Zendesk’s reply-address scheme (support+<ticketID>@<company-domain>.com) made future replies—and therefore attacker-crafted spoofed emails—route directly into existing ticket threads.

CC-based collaboration acted like an authorization bypass: spoof an email, CC yourself, and Zendesk automatically adds the attacker to the ticket history.

The Slack takeover depended on which identity provider’s verification emails Zendesk would allow into ticket creation—Apple worked where Google’s no-reply flow was blocked.

Zendesk’s July 2, 2024 response emphasized spam-filter scoring and header-based suspension rules for Apple verification messages.

The case illustrates how bug bounty scope rules (SPF/DKIM/DMARC exclusions) can clash with real-world impact when trust boundaries are misapplied.

Topics

Zendesk Security
Email Spoofing
Ticket Collaboration
Slack SSO
Bug Bounty Scope

Mentioned

Zendesk
HackerOne
Slack
Cloudflare
Cloudmark
RSpamD
Apple ID
Google Workspace
SPF
DKIM
DMARC
Cloudflare
Daniel
Dale Carnegie
SSO
CC
SPF
DKIM
DMARC
OAUTH
ID
SSO
SPF
DKIM
DMARC