My story begins after a long day’s work at the company under which i am employed. As was usually the case every evening, i opened up the ride app on my mobile device and ordered a ride back home. After i arrived at my destination, i noticed that i had been overcharged for my trip so i tried to reach out to support. On navigating to the support interface within the app, i was greeted with the following error message.
Note that i have redacted the domain in question so the message was something like “No help desk at redacted.zendesk.com”.
A further attempt to reach the support interface of the app resulted in a new error ;
This surprised me as i was already a bit familiar with Zendesk’s ticketing support system. The next logical step was to signup for a trial account and register “redacted.zendesk.com”. Within seconds of doing this, my email account was flooded with tons of tickets from customers that were seeking support for issues they were experiencing on the ride app. These tickets contained a lot of sensitive information such as Geo location data, usernames, real names, credit card information and much more.
Given the critical nature of the issue, i immediately set out to bring it to the awareness of the company. (Unfortunately they had no vulnerability disclosure platform in place). Luckily, i was able to hear back from some one on their Facebook social media page who then put me in touch with the companies’ security team.
I worked with the company’s product manager over the course of the next few days to get the issue resolved . Much as the company did not have a bounty or disclosure platform, they were considerate to offer me a reward in the way of unlimited rides on their app.