[Security] Sender can reveal Agents IP without user interaction

Hi,

I'm a little bit frustrated here. I reported a security issue (in my eyes) to the bug-bounty program of Zoho. But it's being refused and the judgement is: "No security issue" . So that's why i'm publicing it here, curious what other people think about this.

The outline is that someone can mail our support desk and can get the following information:

IP of the Agent (re)opening the ticket

this IP is valuable information for hackers because it might be an Office or VPN ip
The IP might reveal the location of an agent, depending how accurate the IP database is

timestamp of ticket being opened

Just by using an img tag in the mail.

To make things clear:

I do not care about getting a bounty; I care for my agents and our organisation security
It's not about the agent is manually opening a link in a ticket, it's about opening links without user interaction.
Zoho has read-receipt disabled by default. Obviously because of privacy reasons ..... This issue provides even more info then a read-receipt.

Some possible solutions:

Zoho will sent all remote requests over a proxy. Gmail also does this, so you only see an Google ip address in the access log
When ticket is created, add the image as base64 or something like that, so it won't be requested by http
Make an option to disable this behaviour

My original report:

Hi,

We just found out that it's possible to get the ip-address from the Agent opening a ticket in Zoho Desk; no interaction is needed just opening the ticket is enough. Just embed (using the <img> tag an remote image and that's it.

The agent ip-adress should never be revealed to a sender because it introduces security risks.

Steps to reproduce:

Put an image somewhare on a website (where you have access to webserver logs) and be sure you disable browser caching for this image! eg. https://example.com/remote.png
Email to Zoho Desk and embed an image (img html tag). eg https://example.com/remote.png
Tail the http log and grab on the image (remote.png) you just embedded
Open the new ticket in Zoho Desk
Watch the log and see the request
Reload the ticket
Watch the log and see the request

The caching part is important because this makes it possible to see when an agent has opened the ticket everytime. If browser cache is enabled you will only 1 request.

Access your files securely from anywhere

Zoho Developer Community

New to Zoho LandingPage?

Access Zoho LandingPage

Zoho LandingPage Resources

New to Zoho Survey?

Access Zoho Survey

Latest Feature Updates

Explore our Pricing & Plans

Zoho Survey Resources

Android Mobile Surveys

Insurvey Blogs

Insight Blogs

Tips & Tricks

New to Zoho CRM Plus?

Deliver unforgettable customer experiences

ACCESS ZOHO CRM PLUS

New to Zoho CRM Plus?

Deliver unforgettable customer experiences

ACCESS ZOHO CRM PLUS

New to Zoho Marketing Plus?

Everything you need to run your marketing

ACCESS ZOHO MARKETING PLUS

New to Zoho Marketing Plus?

Everything you need to run your marketing

ACCESS ZOHO MARKETING PLUS

New to Bigin?

Signup Now

Access Bigin

Latest Feature Updates

Zoho Desk Resources

Desk Community Learning Series
Digest
Functions
Meetups
Kbase
Resources
Glossary
Desk Marketplace
MVP Corner
Word of the Day

Tout forum

France ZUGs

Zoho SalesIQ Resources

Topic Participants
Gerwin
Shivani | Zoho Desk

Sticky Posts
Live Webinar - Work smarter with Zoho Desk and Zoho Workplace integration
Hello customers! Zoho Desk and Zoho Workplace are coming together for a webinar on 14th May, 2024. Zoho Workplace is a suite of productivity apps for email, chat, docs, calls, and more at one single place. Zoho Desk is closely integrated with a few tools
Apple iOS 17 and iPadOS 17 updates for Zoho Desk users
Hello Zoho Desk users! Apple recently announced the release of iOS 17 and iPad OS 17. These latest OS updates will help you stay productive and efficient, through interactive and seamless user experiences. Zoho Desk has incorporated the updates to help
Zoho Desk Partners with Microsoft's M365 Copilot for seamless customer service experiences
Hello Zoho Desk users, We are happy to announce that Zoho Desk has partnered with Microsoft's M365 to empower customer service teams with enhanced capabilities and seamless experiences for agents. Microsoft announced their partnership during their keynote
Zoho Desk Cheat Sheet For The Year-End
Check out these Zoho Desk best practices to end this year on a high and have a great one ahead! #1 Set Business (Holiday) Hours - If you have limited working hours, please make sure you restrict your business hours or set them as holidays for the coming days. Let your customers know when you will, and won't, be available. #2 Update the Annual Holiday List - Check the holidays for the new year and update the holiday schedule. Usually, holidays from the current year will be carried over for the next
Deprecation of older versions of ASAP Mobile SDK | Zoho Desk
Hello, everyone. Greetings from Zoho Desk ASAP! In order to continue to deliver the best and most secure experience to our mobile SDK users. On account of the recent enhancements and updates to the mobile SDKs, we have planned to mark the older versions