hi, i’m daniel. i’m a 15-year-old with some programming experience and i do a little bug hunting in my free time. here’s the insane story of how I found a single bug that affected over half of all Fortune 500 companies:

  • @machinin
    link
    English
    12
    edit-2
    1 month ago

    I didn’t understand how the OP did this:

    Create an Apple account with [email protected]

    Is that just a spoofed email? What would be the steps to do that?

    • @[email protected]
      link
      fedilink
      English
      52
      edit-2
      1 month ago

      They aren’t trying to actually send from that email, they are trying to create an Apple ID that lets them log in using that email effectively as a username. And Slack will add people to the internal Slack if the email is a company email address.

      To open that account, they need to prove to Apple they own the account. They sign up with Apple and say their email address is [email protected], then Apple sends them a code to verify it’s their email.

      They can’t actually receive the verification email, because it’s not their email. That’s where the exploit comes in. It’s very important that this email address is the one that forwards emails to Zendesk. The verification email from Apple goes to Zendesk, then they use the exploit to see the history of the zendesk ticket, which includes the verification code.

      • @machinin
        link
        English
        71 month ago

        Thanks, that’s a useful description.

        Pretty ingenious.