[Security] Sender can reveal Agents IP without user interaction
Hi,
I'm a little bit frustrated here. I reported a security issue (in my eyes) to the bug-bounty program of Zoho. But it's being refused and the judgement is: "No security issue" . So that's why i'm publicing it here, curious what other people think about this.
The outline is that someone can mail our support desk and can get the following information:
- IP of the Agent (re)opening the ticket
- this IP is valuable information for hackers because it might be an Office or VPN ip
- The IP might reveal the location of an agent, depending how accurate the IP database is
- timestamp of ticket being opened
Just by using an img tag in the mail.
To make things clear:
- I do not care about getting a bounty; I care for my agents and our organisation security
- It's not about the agent is manually opening a link in a ticket, it's about opening links without user interaction.
- Zoho has read-receipt disabled by default. Obviously because of privacy reasons ..... This issue provides even more info then a read-receipt.
Some possible solutions:
- Zoho will sent all remote requests over a proxy. Gmail also does this, so you only see an Google ip address in the access log
- When ticket is created, add the image as base64 or something like that, so it won't be requested by http
- Make an option to disable this behaviour
My original report:
Hi,
|
Access your files securely from anywhere
Zoho Developer Community
New to Zoho LandingPage?
Zoho LandingPage Resources
New to Zoho Survey?
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho Marketing Plus?
Everything you need to run your marketing
New to Zoho Marketing Plus?
Everything you need to run your marketing
New to Bigin?
Topic Participants
Gerwin
Shivani | Zoho Desk
Sticky Posts
Live Webinar - Work smarter with Zoho Desk and Zoho Workplace integration
Hello customers! Zoho Desk and Zoho Workplace are coming together for a webinar on 14th May, 2024. Zoho Workplace is a suite of productivity apps for email, chat, docs, calls, and more at one single place. Zoho Desk is closely integrated with a few toolsApple iOS 17 and iPadOS 17 updates for Zoho Desk users
Hello Zoho Desk users! Apple recently announced the release of iOS 17 and iPad OS 17. These latest OS updates will help you stay productive and efficient, through interactive and seamless user experiences. Zoho Desk has incorporated the updates to helpZoho Desk Partners with Microsoft's M365 Copilot for seamless customer service experiences
Hello Zoho Desk users, We are happy to announce that Zoho Desk has partnered with Microsoft's M365 to empower customer service teams with enhanced capabilities and seamless experiences for agents. Microsoft announced their partnership during their keynoteZoho Desk Cheat Sheet For The Year-End
Check out these Zoho Desk best practices to end this year on a high and have a great one ahead! #1 Set Business (Holiday) Hours - If you have limited working hours, please make sure you restrict your business hours or set them as holidays for the coming days. Let your customers know when you will, and won't, be available. #2 Update the Annual Holiday List - Check the holidays for the new year and update the holiday schedule. Usually, holidays from the current year will be carried over for the nextDeprecation of older versions of ASAP Mobile SDK | Zoho Desk
Hello, everyone. Greetings from Zoho Desk ASAP! In order to continue to deliver the best and most secure experience to our mobile SDK users. On account of the recent enhancements and updates to the mobile SDKs, we have planned to mark the older versions
New to Zoho TeamInbox?
Zoho TeamInbox Resources
Zoho DataPrep Resources
Zoho CRM Plus Resources
Zoho Books Resources
Zoho Subscriptions Resources
Zoho Projects Resources
Zoho Sprints Resources
Qntrl Resources
Zoho Creator Resources
Zoho Campaigns Resources
Zoho CRM Resources
Design. Discuss. Deliver.
Zoho Show Resources
Get Started. Write Away!
Writer is a powerful online word processor, designed for collaborative work.
Zoho CRM コンテンツ
-
オンラインヘルプ
-
Webセミナー
-
機能活用動画
-
よくある質問
-
Ebook
-
-
Zoho Campaigns
- Zoho サービスのWebセミナー
その他のサービス コンテンツ
Nederlandse Hulpbronnen
ご検討中の方
Recent Topics
Year-End Wrap: Disconnect now; Reconnect later with Offline Mode
🎄Happy Holidays🎄 Let's say you are travelling home to spend the holiday season with your loved ones. Before you even board the train, you check your phone only to find your inbox rapidly filling with urgent emails that need your attention. There’s noExploring SalesIQ's Top Features of 2024: An Insider's Look 🔍
As we wrap up another year at Zoho SalesIQ, it's time to reflect on how far we've come. This year has been incredible for us in our journey to build a more powerful, flexible, and customer-centric engagement platform. We've introduced several featuresResource booking functionality questions
I'm exploring the resource booking functionality in Zoho Bookings for my organisation's needs. I have a few questions about the available Zoho Bookings functionalities. Is it possible to force all users to sign up for an account before they book a resource?How to create a Field with answers as Yes, No> Further if no is selected a new field to be visible to give details
Dear All, I am creating a feedback form in HR Letter. The question is were you satisfied with the work allotted. Expected answer to this is Yes, No. Further if the response is no, then a field to be give to fill more details as to why no was selected.Modify the way a phone number is shown in footer on ZOHO Booking Page
The default display of the phone number field in the footer is not customer friendly - See image below. We would like it to use the accepted standards of phone number display: +61 (0)2 88545440, or allow us to choose. At the moment ZOHO Booking sets howZoho Bookings Multilingual ?
Hello, Not sure if there is a way to do it currently, but it would be very helpful if Zoho bookings allowed multilingual translations so we could have our booking pages and notifications setup in multiple languages. Thanks,Allow customers to choose meeting venue and meeting duration on booking page
My business primarily involves one-to-one meetings with my clients. Given the hybrid-work world we now find ourselves in, these meetings can take several forms (which I think of as the meeting "venue"): In-person Zoom Phone call I currently handle theseProblem viewing document imported from google drive.
Hello, When I add a document via my google drive, it is impossible to preview it. I get the error “Files without extensions cannot be previewed. Download to view this file”. Could you please help me? Also, and this is more of a question: is there a wayTwo way sync Zoho Mail and Bookings
Hi, I know it’s possible to view Bookings appointments in Zoho Mail, but is there a way to see my Zoho Mail meetings in the Bookings calendar?Modifying iframe data of Zoho booking iframe
Hello, I have integrated a Zoho Bookings embedded iframe into my website. Currently, I am pre-filling the booking form with default values as part of our process flow. However, I want to ensure that if an input field is already populated with a defaultSending my emails to Spam Folder
I am loosing my business because of this issue, many of my customers are receiving their email in the spam sometimes no one checks themWhy can't I sync my Zoho Mail tasks and notes with my mobile device, and is there a way to fix this issue?
I'm having trouble syncing my Zoho Mail tasks and notes with my mobile device. Despite following the usual steps, the tasks and notes don't appear on my phone. Is there a way to fix this issue? Regards, Adamjes, Tekskills India Pvt Limited, India.Re: constant rejected email form and to my account
Hi, have had several rejection when I sent an email to Zoho account as well as other people have sent emails to my as your health Centre they have account and all aspects have been ejected. i wonder why the email are rejecting to and from. If you seeHow do I redeem credits?
How do I redeem credits that are shown in billing section?Introducing 'Queries' In Zoho CRM
Hello everyone! We are here with an exciting feature - Queries in Zoho CRM! A little context before we dive right into the feature specifics :) In today’s fast-paced business environment, immediate access to relevant data is essential for informed decision-making.Will zoho thrive be integrated with Zoho Books?
titleCannot add IMAP account to "new" Outlook
Hi, I am attempting to add an IMAP account to my copy of the "new" Outlook on my desktop computer. I have tried using the default password when MFA was disabled and an app password when MFA was enabled. But neither attempt worked. My Windows 11 OS numberCustom Module I made shows the records I uploaded are there but they are not showing up.
Here's a screenshot of the module - It shows there are around 2000 records but it says that there aren't any. The module is viewable by administrators and I am on an administrator account so I am not sure why the records aren't showing. Any help wouldUpdate Zoho Flow on Sprint Work Item Status Change
Hello, I've contacted Zoho One support but have been unable to help in a timely manner, so I'm asking the community. I want to start using sprints, but I'm having an issue. I need to post updates to Slack when a Work Item has a status change. My understandingIssue with skip_workflow Not Preventing Edit Workflow Trigger
Hi Team, I am trying to upload a file to a form in Zoho Creator. However, during the upload, an edit workflow is being triggered. I want to prevent this workflow from running, so I have used the skip_workflow parameter as mentioned in the API documentation:Create Dashboard using data/tables from different workspaces
Is it possible do create a Dashboard using different tables that are part of different Workspaces?Este domínio já está associado a esta conta
quando digitei meu domínio recebi essa mensagem que meu domínio estava associado a uma conta que eu nem faço idéia de quem seja. Como que faço pra resolver isso?Storage addon failed to upgrade
Hi, I am trying to purchase addon storage, but i am getting upgrade failed error Sorry! We are unable to process your information. Please try again after some time. If the problem occurs again, please visit our Contact Us page to reach out to the appropriateno puedo recibir correos
Hola, en la cuenta de la empresa desde hace unos tres días dejamos de recibir correos y no hemos realizado ningun cambio de configuracion, requerimos asistencia urgente por favorDefault reminders on Emails
I have seen that it is possible to set, for each email, a reminder when the email remains unresponded for some time. This is very useful, so useful that I would like to set it for all my emails, by default. Because an unanswered email usually requiresNO PUEDO RECIBIR CORREOS EN MI CUENTA ZOHO MAIL
LO QUE SI PUEDO HACER ES ENVIAR CORREOS PERO NO PUEDO RECIBIR CORREOS. Y LA CONFIGUIRACION DE MI DNS YA ESTA CORRECTA Y APUNTAN A ZOHO PERO AUN ASI NO PUEDO RECIBIR NECESITO AYUDA URGENTE YA QUE EN MEXICO NO HAY FORMA DE COMUNICARNOS VIA TELEFONIA CONSend email is not authenticated
Hi, I’m getting an error in Gmail, when receiving an email from my account in zoho, my email is already authenticated in my domain, and I don't know why I keep receiving this message... also testing in outlook, the message goes directly to "junk".Using Queries with dynamic parameters in Kiosk Studio
Hi, I'm pretty new when it comes to developing within Zoho (I'm really a .NET developer), as it was just added to my responsibilities. For a new feature in the CRM, I'm trying to develop a Kiosk function to show a list of records (retrieved by the newWorkflow Based on Manual Journal
Manual journal entries are one of the few areas that cannot kick off a workflow automation in Zoho Books currently. I would propose considering adding that. My use case is that the payroll provider I use (a flavor of SurePayroll) has a Zoho Books automationZoho sheets to crm and mapping
i want to know more about mapping the contacts that i upload from the spreadsheet also couldnt able to understand flowCondition-based data sharing rules are now available in CRM
Dear All, We are excited to introduce a much awaited feature: condition-based data sharing rules. We'd love to explain more about this enhancement. Specify record conditions in data sharing rules Data sharing rules enable you to share all the CRMAutomatic Portal invite
We have numerous customers we move through a blueprint in deals, when they get to a certain point we need to give them portal access, how can this be done through deluge or a workflow?Directly Edit, Filter, and Sort Subforms on the Details Page
Hello everyone, As you know, subforms allow you to associate multiple line items with a single record, greatly enhancing your data organization. For example, a sales order subform neatly lists all products, their quantities, amounts, and other relevantIs it possible to trigger the review process when a record is edited?
Hello, I need to trigger a review process whenever a field is updated to a specific value. This field is empty when the record is created and is only filled later. I know the approval process exists, but that's not what I'm looking for in this case. What【Zoho CRM】ウィザード機能のアップデート
ユーザーの皆さま、こんにちは。コミュニティチームの中野です。 今回は「Zoho CRM アップデート情報」の中からウィザード機能のアップデート をご紹介します。 今回のアップデートにより、ウィザードの「条件処理ルール」機能が改良され、以前の入力画面の項目を基に条件を設定できるようになりました。 これまでは条件設定が1つの画面内に限られていたため、画面間で情報を関連付ける際に、余分な項目を作成する必要がありました。 今回のアップデートにより、前の画面の情報を利用して次の画面に条件を適用できるため、設定がより効率的になります。Multiple date selection
Hello, we want create app for our company. We need create tasks for our employers. For example - 1 employer have task every Friday the whole year. Second have task every Monday for 6 months. For simple way create Multiple date selection in date formLast payroll of the year gives me an error
Trying to run the last payroll of the year. The payment doesn't get to the employee until 1/1/25, which is correct. However when I try to process it I get the following error: Tax calculation is not supported for the year 2025. Please change the Pay date.Partner with HDFC And Sbi Bank.
Hdfc and sbi both are very popular bank if zoho books become partner with this banks then many of the zoho books users will benefit premium features of partnered banks.Send a formatted CV to multiple contacts at multiple clients - and have it associate with both candidate client
I would like to send a formatted CV of a candidate to multiple contacts at multiple clients and have it kept on the record of all three; client, contact and candidate. I understand how to send an email to multiple contacts at multiple clients - and indeed I am able to attach the CV of a candidate through 'browse'. Obviously this does not associate it with the candidate though, only the contact it is sent to. Is there any way to do this? Thanks in advance.Set organization level access to Knowledge Base and manage duplicate article permalinks (with date appended to them)
Hello everyone, We have introduced two important updates in the Knowledge Base module: Permissions - A new permission called "Admin access" has been introduced under module permission. Permalink alert - Users will be alerted when an article with the sameNext Page