Thanks @khizer47 for the report. Insecure zendesk API token hardcoded in JS file, causing Support portals to lose control of administrator rights. We removed dangerous token and controlled permissions by using more secure OAuth token.
An API key & associated Email was Hardcoded into a JS file linked on the Homepage of www.whalefin.com which gave me full administrator-level access to Amer group Multiple Support Portals and associated Organisations.
This issue was quickly fixed by removing the affected JS file & Updating/Depreciating the Leaked API Key.Read More