Ya I do find it hard to believe a project as big as zendesk doesn't take the necessary precautions to protect against security issues like this. But maybe they weren't anticipating people using their software to store important personal docs like bank statements?



Did global forget to check this box though? OMEGALUL

https://support.zendesk.com/hc/en-us...er-attachments




Verifying your customer’s identity through a passport or driver license scan can be an effective way to verify the identity of your customer. Due to the sensitive nature of these documents, and their ability to be used for identity theft, we recommend using the require authentication to download feature. While regular attachments are secured using a token, a URL that is considerably complex and random, they could be potentially exposed through a misdirected email.


To enable require authentication to download go to Admin ( ) > Settings > Tickets .



Please note, until the require authentication to download is associated with a specific group or agent, uploaded files are visible to any authenticated user. Once an attachment is associated with a ticket or post, visibility is restricted to users with access to the ticket or post that has the authentication to download.

It appears they did forget it. I always use hosted solutions for support so, never used Zendesk on any of my dev projects.

That being said -- people are going to brush this off likely, but as a computer dev, entrepreneur and poker player for the last 10 years of my life -- people have taken more, with less than a publicly available bank statement.

The fact it has gone hours without a response is kind of silly. At least say, "We've forwarded this to our dev team and are rectifying the issue immediately."

I'm not a pitchfork type of guy, but this is real ****ing important.

I barely convinced myself to ever associate my PayPal account with this site.

Looks like giving them my personal bank info is not going to happen.

Nice survey lol...

LOL. The global **** show keeps on delivering. Any site 2p2 endorses and or the mods shill for you should avoid like the plague. Lesson learned.

I just attempted it with the link to my bank statement, it did not work. However, it did work with my driver's license.

This is ****ing disturbing.

@billyho make sure you aren't logged into Zendesk and try the driver's license again, just to be sure we aren't pitchforking unnecessarily.

I see no links to my documents from my PayPal verification steps, so I'm super hesitant at this point to even do the bank verification but if I ever want the four figures+ I have on there, I guess I will have to.

Time to open a new bank account just for this purpose, then close it.

Where are all these ****ing geniuses who couldn't stop talking about how great global is? Where are they now? It's kinda ****ty but everyone that was skeptical/ thought this site is not legit has been validated just from the last week alone.

Shame on 2p2 for allowing advertising.

I did. I hovered over the downloaded documents - my bank statement and my drivers license - in order to see the link (it shows up on bottom left on Chrome). Had to hover, because a straight click would download it to my computer (bank statement) or open it in a new window with the diverted address (drivers license).

I then typed in those addresses into a Firefox browswer that was not signed into Zendesk and has never even been used to play GlobalPoker or use Zendeks. The URL for my bank statement came bank with an error page. But my drivers license just popped up with a scanned picture of my drivers license for all to see.

@billy just stating for the record I wasn't saying you were wrong, or lying, just being sure that we substantiate the things we say so this doesn't turn into a pitchfork fiasco.

They are sure in the wrong in this situation, and we should handle it as such, with facts, and it appears you have. Thanks for the reply!

If you need the proper auth token string in the URL to view the documents, then what exactly is the problem? It's not like somebody can guess the token value?

It's called security through obscurity. The problem is:

"Security experts have rejected this view as far back as 1851, and advise that obscurity should never be the only security mechanism."

And yes, people can most certainly guess the token value. There are probably botnets going at it right now, and may have been for as long as Global's Zendesk site was misconfigured.

Mine does not do this. When I click on the link it takes me to the zendesk login screen. Maybe your login is automatic. Idk...hope you get it figured out.

They also have debug running in the console, so there's lot of funny stuff if you open it up.

@mojo yes, I see that now. Lol.

Emails are not secure documents. More like postcards. The mailman can read them.

Cliffs in layman’s terms? Any precautionary measures we can take?

This needs to be resolved ASAP. If there are any major issues due to this oversight, Global could see lawsuits arise...

Global isn't securely storing your identity documents and bank statements because they couldn't be bothered to RTFM when they set up Zendesk. You can yell at them to secure that server, or at least take it offline until they get their **** together. They should have done that hours ago.

Thanks for the heads up guys. I haven't been able to cash out for a few days and joined this site to see if others were having the same problem. At this point, I am glad I didn't. My only regret was recommending my friends to use the site. I just deleted my account. Thank you for the great information.

What a mess this company is turning into.

Looks like the RNG and transparency are the least of our concerns.

Their Facebook ad is nothing but compaint comments top to bottom.

Doesn't surprise me much. Any company that refuses to let you have access to your own stat history shouldn't have been trusted far anyway.

Online poker companies have pretty much 100% been dumpster fires for the last couple of decades. Guess we shoulldn't be surprised.

Honestly, I'm the first to call bull**** on bad RNGs and their RNG seems fine, I played 2 million+ hands of omaha back in the day on Stars/Tilt and felt way worse about those RNGs than this one. Not even being results oriented, because I'm crushing right now at an insane winrate.

That being said, things like this are what concern me. First it's public documents, then it's a leak in the prop/state system of React, and someone is reading the RNG from the client side and stealing RNG seeds, etc.

I'm a developer, so securing a help desk should be easy for any competent person that was able to install it. It seems they perhaps paid good money to establish, and have since not paid the money to maintain it.

But I could be wrong.

Hey guys,

I have just seen this. Not something I have heard of before but I appreciate it is definitely something that players need clarity on. I will look into this for you and find a response.

Joey

Joey, when you get back to us be sure to address post #26, where Zendesk says not to do what you guys are doing because it's a security risk.

So Zendesk offers this feature for their customers to secure such documents? Global just isn’t paying for that service? Am I understanding that correctly?

Is there anything we should do now if our information is out there to protect ourselves?