[Security] Sender can reveal Agents IP without user interaction
Hi,
I'm a little bit frustrated here. I reported a security issue (in my eyes) to the bug-bounty program of Zoho. But it's being refused and the judgement is: "No security issue" . So that's why i'm publicing it here, curious what other people think about this.
The outline is that someone can mail our support desk and can get the following information:
- IP of the Agent (re)opening the ticket
- this IP is valuable information for hackers because it might be an Office or VPN ip
- The IP might reveal the location of an agent, depending how accurate the IP database is
- timestamp of ticket being opened
Just by using an img tag in the mail.
To make things clear:
- I do not care about getting a bounty; I care for my agents and our organisation security
- It's not about the agent is manually opening a link in a ticket, it's about opening links without user interaction.
- Zoho has read-receipt disabled by default. Obviously because of privacy reasons ..... This issue provides even more info then a read-receipt.
Some possible solutions:
- Zoho will sent all remote requests over a proxy. Gmail also does this, so you only see an Google ip address in the access log
- When ticket is created, add the image as base64 or something like that, so it won't be requested by http
- Make an option to disable this behaviour
My original report:
Hi,
|
Access your files securely from anywhere
New to Zoho Recruit?
Zoho Developer Community
New to Zoho LandingPage?
Zoho LandingPage Resources
New to Zoho Survey?
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho Marketing Plus?
Everything you need to run your marketing
New to Zoho Marketing Plus?
Everything you need to run your marketing
New to Bigin?
Topic Participants
Gerwin
Shivani | Zoho Desk
Sticky Posts
Zoho Desk Partners with Microsoft's M365 Copilot for seamless customer service experiences
Hello Zoho Desk users, We are happy to announce that Zoho Desk has partnered with Microsoft's M365 to empower customer service teams with enhanced capabilities and seamless experiences for agents. Microsoft announced their partnership during their keynoteWhatsApp pricing changes: Pay per message starting July 1, 2025
Starting July 1, 2025, WhatsApp is shifting from conversation-based pricing to per-message billing. That means every business-initiated message you send will count. Not just the first one in a 24-hour window. Pricing updates on the WhatsApp Business PlatformLive Webinar - Work smarter with Zoho Desk and Zoho Workplace integration
Hello customers! Zoho Desk and Zoho Workplace are coming together for a webinar on 14th May, 2024. Zoho Workplace is a suite of productivity apps for email, chat, docs, calls, and more at one single place. Zoho Desk is closely integrated with a few toolsApple iOS 17 and iPadOS 17 updates for Zoho Desk users
Hello Zoho Desk users! Apple recently announced the release of iOS 17 and iPad OS 17. These latest OS updates will help you stay productive and efficient, through interactive and seamless user experiences. Zoho Desk has incorporated the updates to helpZoho Desk Cheat Sheet For The Year-End
Check out these Zoho Desk best practices to end this year on a high and have a great one ahead! #1 Set Business (Holiday) Hours - If you have limited working hours, please make sure you restrict your business hours or set them as holidays for the coming days. Let your customers know when you will, and won't, be available. #2 Update the Annual Holiday List - Check the holidays for the new year and update the holiday schedule. Usually, holidays from the current year will be carried over for the next
New to Zoho TeamInbox?
Zoho TeamInbox Resources
Zoho CRM Plus Resources
Zoho Books Resources
Zoho Subscriptions Resources
Zoho Projects Resources
Zoho Sprints Resources
Qntrl Resources
Zoho Creator Resources
Zoho CRM Resources
Design. Discuss. Deliver.
Zoho Show Resources
Get Started. Write Away!
Writer is a powerful online word processor, designed for collaborative work.
Zoho CRM コンテンツ
-
オンラインヘルプ
-
Webセミナー
-
機能活用動画
-
よくある質問
-
Ebook
-
-
Zoho Campaigns
- Zoho サービスのWebセミナー
その他のサービス コンテンツ
Nederlandse Hulpbronnen
ご検討中の方
Recent Topics
sync views to sheet
Im looking to sync my views aka reports in analytics to zoho sheets, when data is updated in analytics it also should be updated in sheets, till now zoho sheets only offer raw data connection and it is not enough as these reports are difficult to re-doHow to update the Status in a custom module?
Hi, I have a custom module "cm_payment_registry" in Billing, I am trying to change the status which is "Draft" with: array = {"custom_status":"Approved"}; zoho.billing.update("cm_payment_registry",organization.get("organization_id"), XXXXXXXXXXXXXX, array,"connectionname");is it possible to add more than one Whatsapp Phone Number to be integrated to Zoho CRM?
so I have successfully added one Whatsapp number like this from this User Interface it seems I can't add a new Whatsapp Number. I need to add a new Whatsapp Number so I can control the lead assignment if a chat sent to Whatsapp Phone Number 1 then assignReplace Zoho Invoice with QuickBooks
We are implementing Zoho FSM for a cleaning business in the US with 50+ field workers. This business has been using Quickbooks for accounting for decades and will not migrate to Zoho Books. A major issue in the integration is the US sales tax calculation.Reply and react to comments
Hi everyone! We're excited to bring to you a couple of new features that'll make your sprint process simpler. A cloud application brings with it an array of social media features that can be efficiently used in your organizational setup. As an agile scrumPossible to connect Zoho CRM's Sandbox with Zoho Creator's Sandbox?
We are making some big changes on our CRM so we are testing it out in CRM's Sandbox. We also have a Zoho Creator app that we need to test. Is it possible to connect Zoho CRM's Sandbox to Zoho Creator's Sandbox so that I can perform those tests?Sending automated messages that appear in the ticket's conversation thread
Good morning, esteemed Zoho Desk community, warm greetings Today I am here to raise the following problem, seeking a solution that I can implement: I need to implement an automation that allows me to send reminder messages to customers when I am waitingSend Supervisor Rule Emails Within Ticket Context in Zoho Desk
Dear Zoho Desk Team, I hope this message finds you well. Currently, emails sent via Supervisor Rules in Zoho Desk are sent outside of the ticket context. As a result, if a client replies to such emails, their response creates a new ticket instead of appending2025 Highlights: A Year of Steady Progress and Significant Developments
As we come to the end of 2025, let's take a moment to reflect on the significant progress and developments we've made to improve your travel and expense management. In the Spotlight Introducing Online Booking (US edition only - Early access) Enable onlineHide/Show Subform Fields On User Input
Hello, Are there any future updates in Hide/Show Subform Fields "On User Input"?Zoho Sheet for Desktop
Does Zoho plans to develop a Desktop version of Sheet that installs on the computer like was done with Writer?Unable to remove the “Automatically Assigned” territory from existing records
Hello Zoho Community Team, We are currently using Territory Management in Zoho CRM and have encountered an issue with automatically assigned territories on Account records. Once any account is created the territory is assigned automatically, the AutomaticallyReminders for Article Approval
Is there a way to send reminders for approvers to review articles and approve/deny them? I'm not seeing that option anywhere.¿Cómo puedo configurar las contraseñas creadas bajo una directiva para que nunca caduquen y no aparezcan como caducadas en los informes?
¿Cómo puedo configurar las contraseñas creadas bajo una directiva para que nunca caduquen y no aparezcan como caducadas en los informes? La razón por la cual contraseña estas no deben caducar es porque su actualización depende de mi cliente y no de mí.Function #42: Show the actual rate of items on invoices
Hello everyone, and welcome back to our series! In Zoho Books, you have the ability to create Price Lists, wherein you can mark up and mark down the item rates by a specific percentage or set custom rates. Generally, when you apply a price list to anAbility to Set Text Direction for Individual Cells in Zoho Sheet
Dear Zoho Sheet Team, We hope you are doing well. We would like to request an enhancement in Zoho Sheet that allows users to set the text direction (right-to-left or left-to-right) for individual cells, similar to what is available in Google Sheets. UseEmails sent through Bigin are not posting in IMAP Sent folder
I have set up my email to work from within Bigin using IMAP. I am using IMAP so I can sync my email across multiple devices - phone / laptop / desktop / iPad / etc. I want all my emails to populate my email client (outlook & iphone email) whether orNew in CRM: Dynamic filters for lookup fields
Last modified on Oct 28, 2024: This feature was initially available only through Early Access upon request. It is now available to all users across all data centers, except for the IN DC. Users in the IN DC can temporarily request access using this formWarehouse fast processing
Hey guys, would anyone be interested in something like the attached image ? If there's any interest I'd be willing to develop it further for others to use, it's much faster than using Zohos native solutions, it can part pack, pack in full, part ship,Data Processing Basis
Hi, Is there a way to automate the data processing for a candidate every time an application arrives from job boards, without requiring manual intervention? That is, to automatically acquire consent for data processing. I've seen a workflow that allowsHow to install Widget in inventory module
Hi, I am trying to install a app into Sales Order Module related list, however there is no button allow me to do that. May I ask how to install widget to inventory module related list?Can't change form's original name in URL
Hi all, I have been duplicating + editing forms for jobs regarding the same department to maintain formatting + styling. The issue I've not run into is because I've duplicated it from an existing form, the URL doesn't seem to want to update with the newStart/Stop Timmer in Chrome Extension
The chrome extension is great and allows you to do allot however one of the most common things employees working on projects need to do is track their time. Having an easy start/stop timer to track time would be great.Turning the page for Zoho SalesIQ: 2025 to 2026
As we wrap up 2025, we would like to take a moment to reflect on what we set out to achieve this year, what we’ve delivered, and where we’re headed next. What we focused on in 2025 This year was all about strengthening the core of engagement and AI, makingInvalid collection string
I haven't changed anything in one of my functions. I'm trying to run it manually and suddenly "Invalid collection string" appears. My code has 6 lines and the error says that the error is on 7th line. Why? What does this error mean? Nothing has been changedZoho Directory 2025: New Features | Security Enhancements | Enriched UI
Hello everyone, Greetings from the Zoho Directory team! 2025 has been a highly successful year for Zoho Directory. We are delighted to introduce a fresh set of features, an enriched UI, and major product enhancements. These updates aim to deliver a smootherBulk Schedule for Posting TikTok
Hallo, We have a client whose business is a social media agency specifically TikTok. Currently they are handling 30 TikTok accounts from. I think zoho Social can handle it with Agency License + with Add on 10 Brands. Their concern is related to postingConvert Lead Automation Trigger
Currently, there is only a convert lead action available in workflow rules and blueprints. Also, there is a Convert Lead button available but it doesn't trigger any automations. Once the lead is converted to a Contact/Account the dataset that can be fetchedzoho people 5 report
How do I customize my report in Zoho People Report? I understand that I can get the results of multi-table queries through SQL join statements, but I don't know the relationship between each table. I tried to create a report using Attendance User ReportLeave Report Emailed Weekly
I am wondering if someone knows how to have a report generated either weekly or monthly or both for department heads and ownership of upcoming employee leave. For instance, it would be nice to get an emailed report on Friday for the upcoming week of whoAbility to Edit YouTube Video Title, Description & Thumbnail After Publishing
Hi Zoho Social Team, How are you? We would like to request an enhancement to Zoho Social that enables users to edit YouTube video details after the video has already been published. Your team confirmed that while Zoho Social currently allows editing theZoho Flow Decision Continuing Despite Not Meeting Conditions
I have a picklist field called Lead Status in the leads module, with the following lead Statuses: New Lead Attempted Contact - 1 Attempted Contact - 2 Attempted Contact - 3 Attempted Contact - 4 Attempted Contact - 5 Attempted Contact - 6 Attempted ContactAdd RTL and Hebrew Support for Candidate Portal (and Other Zoho Recruit Portals)
Dear Zoho Recruit Team, I hope you're doing well. We would like to request the ability to set the Candidate Portal to be Right-to-Left (RTL) and in Hebrew, similar to the existing functionality for the Career Site. Currently, when we set the Career SiteZoho Books Sandbox environment
Hello. Is there a free sandbox environment for the developers using Zoho Books API? I am working on the Zoho Books add-on and currently not ready to buy a premium service - maybe later when my add-on will start to bring money. Right now I just need aTip #55- Accessibility Controls in Zoho Assist: Exploring Vision Settings- 'Insider Insights'
As we approach the end of the year, it’s a good moment to reflect on how we can make our tools more inclusive and easier to use for everyone. Remote support often involves long hours in front of screens, varied lighting conditions, and users with differentZoho Recruit Slow and Freezing on all screens
We have had an issue with Zoho Recruit for weeks being extremely slow and at times freezing. We have 100 mega internet, and I went into each computer and updated the virtual memory so there is more available. Also restarted all computers daily. Still having the issues. Almost unable to work.How to disable the edit option in subform
How to disable the edit option in subformCredit Management: #2 Configuring Right Payment Terms for Credit Control
Think about the last time you ordered something online and saw that little note at the checkout, "Pay on Delivery" or "Pay later". It's simple, but it actually sets the tone. As a business owner, you know exactly when payment is expected. Now, imagineDependent (Conditional) Fields in Zoho Bookings Forms
Hello Zoho Bookings Team, Greetings, We would like to request the ability to create dependent (conditional) fields in Zoho Bookings registration forms. Current Limitation: There is currently no way to make one field’s available options depend on the valueBug Report: Search fails to find existing notes after Evernote import
Hello, I recently migrated from Evernote (~2600 notes across 23 notebooks), but the search functionality is currently broken. The Issue: I can manually browse to a specific note and see it exists. However, when I type the exact or partial title of thatNext Page