[Security] Sender can reveal Agents IP without user interaction

[Security] Sender can reveal Agents IP without user interaction

Hi,

I'm a little bit frustrated here. I reported a security issue (in my eyes)  to the bug-bounty program of Zoho. But it's being refused and the judgement is: "No security issue" . So that's why i'm publicing it here, curious what other people think about this.

The outline is that someone can mail our support desk and can get the following information:
  1. IP of the Agent (re)opening the ticket
    1. this IP is valuable information for hackers because it might be an Office or VPN ip
    2. The IP might reveal the location of an agent, depending how accurate the IP database is
  2. timestamp of ticket being opened
Just by using an img tag in the mail.  

To make things clear:
  1. I do not care about getting a bounty; I care for my agents and our organisation security
  2. It's not about the agent is manually opening a link in a ticket, it's about opening links without user interaction. 
  3. Zoho has read-receipt disabled by default. Obviously because of privacy reasons ..... This issue provides even more info then a read-receipt.
Some possible solutions:
  1. Zoho will sent all remote requests over a proxy. Gmail also does this, so you only see an Google ip address in the access log
  2. When ticket is created, add the image as base64 or something like that, so it won't be requested by http
  3. Make an option to disable this behaviour
My original report:

Hi,


We just found out that it's possible to get the ip-address from the Agent opening a ticket in Zoho Desk; no interaction is needed just opening the ticket is enough. Just embed (using the <img> tag an remote image and that's it.


The agent ip-adress should never be revealed to a sender because it introduces security risks.


Steps to reproduce:

  1. Put an image somewhare on a website (where you have access to webserver logs) and be sure you disable browser caching for this image! eg. https://example.com/remote.png
  2. Email to Zoho Desk and embed an image (img html tag). eg https://example.com/remote.png
  3. Tail the http log and grab on the image (remote.png) you just embedded
  4. Open the new ticket in Zoho Desk
  5. Watch the log and see the request
  6. Reload the ticket
  7. Watch the log and see the request


The caching part is important because this makes it possible to see when an agent has opened the ticket everytime. If browser cache is enabled you will only 1 request.