Reco Security Labs: How Zendesk Left a Backdoor Open

Zendesk is a customer relationship management (CRM) platform with software that facilitates customer engagement, sales, and support. It’s also a critical SaaS application for several reasons. It integrates with other SaaS apps like Okta and Slack to automate processes. It’s also used by Fortune 100 companies and stores a high level of sensitive data related to customers, internal processes, and organizational data. 

‍

Companies frequently set up Zendesk carelessly, and Zendesk is simply regarded as a basic ticketing tool instead of as critical, considering it’s level of data access. 

‍

Full Scale Platform Exploit Targeting Zendesk

‍

Last week, a 15-year old ethical hacker exposed a security flaw in Zendesk’s systems. This exploit allows anyone to impersonate a Zendesk agent, and gain access to connected platforms (such as Slack) with two emails. The flaw also enabled access to private Slack channels. 

Read from the ethical hacker on GitHub.

‍

Overview of the Original Finding

‍

The ethical hacker found a significant weakness in Zendesk that let anyone view customer service tickets from any business that used the platform. All they needed to do was to send a carefully worded email to a Zendesk-managed support email. The email security DNS headers were lacking SPF, DKIM, and DMARC. 

‍

This is how the exploit works: a new support ticket is created by Zendesk when an email is sent to a company’s help portal (support@company.com, for example). Zendesk automatically creates a reply-to address, support+id{id}@company.com, where {id} is the unique ticket number, in order to maintain track of the email thread. 

‍

It is possible to reply to that ticket with another email address copied, map the internal email addresses used by Zendesk, and then voilà gain access to the platform. You can then view the original ticket that was opened with the verification code and then gain full access to Slack and other platforms utilized by the organization. 

‍

When you include someone in a reply email, Zendesk adds them instantly to the ticket so they may view the entire ticket history in the support site.

‍

Despite reporting the vulnerability, Zendesk dismissed it, citing email spoofing as ineligible for their bug bounty. Zendesk has since patched the issue, advising customers to enhance user verification practices. They also criticized the hacker for breaching the responsible disclosure standard. However, as Zendesk originally disregarded this vulnerability, the researcher reached out to their customer base with the finding.

‍

How Reco Can Detect this Vulnerability

‍

Reco can help you stay secure from the latest security flaw in Zendesk systems. If you are a Zendesk customer, you can integrate your Zendesk instance with Reco and we will monitor the SaaS application and alert you to any misconfigurations or other issues/vulnerabilities. 

‍

Reco Onboarding Guide for Zendesk

‍

We also have a posture check, Zendesk - Active External Users, that lists out all external users, helping you identify if you were impacted by this security flaw. 

‍

‍

We can also detect if there is something potentially nefarious occurring by discovering if Slack is connected to your Zendesk instance as a 3rd-party application. 

‍

‍

Conclusion

‍

What started as a small bug turned into an exploit that allowed this hacker to infiltrate the internal systems of some of the world’s largest companies through Zendesk. But enterprises can rest assured that SaaS security solutions like Reco exist. Reco connects into Zendesk and continuously monitors, sending real-time detections of new and emerging attack vectors.