← Back to all reports

Unauthenticated Zendesk JWT Enables Full Support System Impersonation

Reported Mar 2, 2026
Severity Critical
Platform Web (API)
Vulnerability Class Improper Authentication (CWE-287)
Target Type Cryptocurrency Exchange
Impact Read/write any user's support conversations and KYC documents

The Risk

An endpoint on a cryptocurrency exchange's website generated valid support system login tokens for any user, requiring only their email address. No login, no password, no verification. An attacker could read every support conversation any customer ever had, download identity documents submitted for account verification, and send messages pretending to be that customer. The tokens never expired, meaning access was permanent once obtained.

The Vulnerability

A public API endpoint generated signed authentication tokens for the platform's customer support system. The endpoint accepted an email address as input and returned a valid token without checking whether the caller was actually logged in as that user. The tokens contained no expiration date.

The endpoint also served as an email enumeration oracle, returning different HTTP status codes for existing vs non-existing accounts.

The Attack

With a single unauthenticated request containing a victim's email, the attacker received a signed token. This token authenticated the attacker to the support system as the victim.

From there they could read all past conversations including messages from both the customer and support agents, download file attachments (identity documents, screenshots), and send new messages that appeared to come from the victim. No rate limiting was observed.

The Impact

Complete access to every customer's support history. KYC documents (government ID, selfies), real IP addresses, device information, and two-factor recovery discussions were all accessible.

An attacker could social-engineer support agents by sending messages as the victim, manipulate withdrawal disputes, or inject messages into active KYC reviews. The tokens never expire, so a single capture grants permanent access.

Remediation

  • Require authentication on the token generation endpoint.
  • Derive the user identity server-side from the authenticated session rather than accepting it as input.
  • Rotate the signing secret immediately since all previously generated tokens are still valid.
  • Add expiration claims to future tokens.

All findings anonymized per responsible disclosure policies. No target names, endpoints, or identifiable details are included.