[Security] Sender can reveal Agents IP without user interaction
Hi,
I'm a little bit frustrated here. I reported a security issue (in my eyes) to the bug-bounty program of Zoho. But it's being refused and the judgement is: "No security issue" . So that's why i'm publicing it here, curious what other people think about this.
The outline is that someone can mail our support desk and can get the following information:
- IP of the Agent (re)opening the ticket
- this IP is valuable information for hackers because it might be an Office or VPN ip
- The IP might reveal the location of an agent, depending how accurate the IP database is
- timestamp of ticket being opened
Just by using an img tag in the mail.
To make things clear:
- I do not care about getting a bounty; I care for my agents and our organisation security
- It's not about the agent is manually opening a link in a ticket, it's about opening links without user interaction.
- Zoho has read-receipt disabled by default. Obviously because of privacy reasons ..... This issue provides even more info then a read-receipt.
Some possible solutions:
- Zoho will sent all remote requests over a proxy. Gmail also does this, so you only see an Google ip address in the access log
- When ticket is created, add the image as base64 or something like that, so it won't be requested by http
- Make an option to disable this behaviour
My original report:
Hi, We just found out that it's possible to get the ip-address from the Agent opening a ticket in Zoho Desk; no interaction is needed just opening the ticket is enough. Just embed (using the <img> tag an remote image and that's it.
The agent ip-adress should never be revealed to a sender because it introduces security risks.
Steps to reproduce:
- Put an image somewhare on a website (where you have access to webserver logs) and be sure you disable browser caching for this image! eg. https://example.com/remote.png
- Email to Zoho Desk and embed an image (img html tag). eg https://example.com/remote.png
- Tail the http log and grab on the image (remote.png) you just embedded
- Open the new ticket in Zoho Desk
- Watch the log and see the request
- Reload the ticket
- Watch the log and see the request
The caching part is important because this makes it possible to see when an agent has opened the ticket everytime. If browser cache is enabled you will only 1 request.
|
Sticky Posts
Live Webinar - Work smarter with Zoho Desk and Zoho Workplace integration
Hello customers! Zoho Desk and Zoho Workplace are coming together for a webinar on 14th May, 2024. Zoho Workplace is a suite of productivity apps for email, chat, docs, calls, and more at one single place. Zoho Desk is closely integrated with a few tools
Apple iOS 17 and iPadOS 17 updates for Zoho Desk users
Hello Zoho Desk users! Apple recently announced the release of iOS 17 and iPad OS 17. These latest OS updates will help you stay productive and efficient, through interactive and seamless user experiences. Zoho Desk has incorporated the updates to help
Zoho Desk Partners with Microsoft's M365 Copilot for seamless customer service experiences
Hello Zoho Desk users, We are happy to announce that Zoho Desk has partnered with Microsoft's M365 to empower customer service teams with enhanced capabilities and seamless experiences for agents. Microsoft announced their partnership during their keynote
Zoho Desk Cheat Sheet For The Year-End
Check out these Zoho Desk best practices to end this year on a high and have a great one ahead! #1 Set Business (Holiday) Hours - If you have limited working hours, please make sure you restrict your business hours or set them as holidays for the coming days. Let your customers know when you will, and won't, be available. #2 Update the Annual Holiday List - Check the holidays for the new year and update the holiday schedule. Usually, holidays from the current year will be carried over for the next
Deprecation of older versions of ASAP Mobile SDK | Zoho Desk
Hello, everyone. Greetings from Zoho Desk ASAP! In order to continue to deliver the best and most secure experience to our mobile SDK users. On account of the recent enhancements and updates to the mobile SDKs, we have planned to mark the older versions