• 8 Posts
  • 857 Comments
Joined 1 year ago
cake
Cake day: June 2nd, 2023

help-circle




  • Dave@lemmy.nztoScience Memes@mander.xyzYep, it's me
    link
    fedilink
    English
    arrow-up
    10
    ·
    6 days ago

    Haha I have one of these.

    Them: how come most trees are green?

    Me: Oh, well the leaves have s…

    Them: OK goodbye

    I also have another one that likes to hear all the details, and as a young kid they would ask me to explain stuff while they fell asleep.

    Me: OK, sleeping time

    Them: Can you tell me why we don’t two suns while I lie down?

    Me: oh, boy, well… [then I talk until they fall asleep]

    I think they were about 3 or 4 when we did this.













  • I can see both angles of this. Especially since the original disclosure didn’t have the full detail of how it could be exploited to access company systems, and they (the writeup author) never disclosed that update.

    You can see how a large company (Zendesk) could miss this in the multitude of people trying to claim bug bounties. I fully believe that had they understood the issue they should have fixed it, since it’s within their power and basically a service to their clients. But I can understand how the limited detail in the original disclosure demonstrated a much lower level risk than the end exploit that was never reported.



  • They aren’t trying to actually send from that email, they are trying to create an Apple ID that lets them log in using that email effectively as a username. And Slack will add people to the internal Slack if the email is a company email address.

    To open that account, they need to prove to Apple they own the account. They sign up with Apple and say their email address is [email protected], then Apple sends them a code to verify it’s their email.

    They can’t actually receive the verification email, because it’s not their email. That’s where the exploit comes in. It’s very important that this email address is the one that forwards emails to Zendesk. The verification email from Apple goes to Zendesk, then they use the exploit to see the history of the zendesk ticket, which includes the verification code.