Demo Request
Take a personalized product tour with a member of our team to see how we can help make your existing security teams and tools more effective within minutes.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Home
Blog

Reco Security Labs: How Zendesk Left a Backdoor Open

Dvir Sasson
Updated
October 21, 2024
December 2, 2024
5 min read

Zendesk is a customer relationship management (CRM) platform with software that facilitates customer engagement, sales, and support. It’s also a critical SaaS application for several reasons. It integrates with other SaaS apps like Okta and Slack to automate processes. It’s also used by Fortune 100 companies and stores a high level of sensitive data related to customers, internal processes, and organizational data. 

Companies frequently set up Zendesk carelessly, and Zendesk is simply regarded as a basic ticketing tool instead of as critical, considering it’s level of data access. 

Full Scale Platform Exploit Targeting Zendesk

Last week, a 15-year old ethical hacker exposed a security flaw in Zendesk’s systems. This exploit allows anyone to impersonate a Zendesk agent, and gain access to connected platforms (such as Slack) with two emails. The flaw also enabled access to private Slack channels. 


Read from the ethical hacker on GitHub.

Overview of the Original Finding

The ethical hacker found a significant weakness in Zendesk that let anyone view customer service tickets from any business that used the platform. All they needed to do was to send a carefully worded email to a Zendesk-managed support email. The email security DNS headers were lacking SPF, DKIM, and DMARC. 

This is how the exploit works: a new support ticket is created by Zendesk when an email is sent to a company’s help portal (support@company.com, for example). Zendesk automatically creates a reply-to address, support+id{id}@company.com, where {id} is the unique ticket number, in order to maintain track of the email thread. 

It is possible to reply to that ticket with another email address copied, map the internal email addresses used by Zendesk, and then voilà gain access to the platform. You can then view the original ticket that was opened with the verification code and then gain full access to Slack and other platforms utilized by the organization. 

When you include someone in a reply email, Zendesk adds them instantly to the ticket so they may view the entire ticket history in the support site.

Despite reporting the vulnerability, Zendesk dismissed it, citing email spoofing as ineligible for their bug bounty. Zendesk has since patched the issue, advising customers to enhance user verification practices. They also criticized the hacker for breaching the responsible disclosure standard. However, as Zendesk originally disregarded this vulnerability, the researcher reached out to their customer base with the finding.

How Reco Can Detect this Vulnerability

Reco can help you stay secure from the latest security flaw in Zendesk systems. If you are a Zendesk customer, you can integrate your Zendesk instance with Reco and we will monitor the SaaS application and alert you to any misconfigurations or other issues/vulnerabilities. 

Reco Onboarding Guide for Zendesk

We also have a posture check, Zendesk - Active External Users, that lists out all external users, helping you identify if you were impacted by this security flaw. 

The Zendesk - Active External User Posture Check Available in Reco

We can also detect if there is something potentially nefarious occurring by discovering if Slack is connected to your Zendesk instance as a 3rd-party application. 

Reco Discovers if a Third-Party App Such as Slack is Connected to Your Zendesk Instance

Conclusion

What started as a small bug turned into an exploit that allowed this hacker to infiltrate the internal systems of some of the world’s largest companies through Zendesk. But enterprises can rest assured that SaaS security solutions like Reco exist. Reco connects into Zendesk and continuously monitors, sending real-time detections of new and emerging attack vectors.

ABOUT THE AUTHOR

Dvir Sasson

Dvir is the Director of Security Research Director, where he contributes a vast array of cybersecurity expertise gained over a decade in both offensive and defensive capacities. His areas of specialization include red team operations, incident response, security operations, governance, security research, threat intelligence, and safeguarding cloud environments. With certifications in CISSP and OSCP, Dvir is passionate about problem-solving, developing automation scripts in PowerShell and Python, and delving into the mechanics of breaking things.

Technical Review by:
Gal Nakash
Technical Review by:
Dvir Sasson

Dvir is the Director of Security Research Director, where he contributes a vast array of cybersecurity expertise gained over a decade in both offensive and defensive capacities. His areas of specialization include red team operations, incident response, security operations, governance, security research, threat intelligence, and safeguarding cloud environments. With certifications in CISSP and OSCP, Dvir is passionate about problem-solving, developing automation scripts in PowerShell and Python, and delving into the mechanics of breaking things.

Table of Contents
Get the Latest SaaS Security Insights
Subscribe to receive updates on the latest cyber security attacks and trends in SaaS Security.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.