[Security] Sender can reveal Agents IP without user interaction

[Security] Sender can reveal Agents IP without user interaction

Hi,

I'm a little bit frustrated here. I reported a security issue (in my eyes)  to the bug-bounty program of Zoho. But it's being refused and the judgement is: "No security issue" . So that's why i'm publicing it here, curious what other people think about this.

The outline is that someone can mail our support desk and can get the following information:
  1. IP of the Agent (re)opening the ticket
    1. this IP is valuable information for hackers because it might be an Office or VPN ip
    2. The IP might reveal the location of an agent, depending how accurate the IP database is
  2. timestamp of ticket being opened
Just by using an img tag in the mail.  

To make things clear:
  1. I do not care about getting a bounty; I care for my agents and our organisation security
  2. It's not about the agent is manually opening a link in a ticket, it's about opening links without user interaction. 
  3. Zoho has read-receipt disabled by default. Obviously because of privacy reasons ..... This issue provides even more info then a read-receipt.
Some possible solutions:
  1. Zoho will sent all remote requests over a proxy. Gmail also does this, so you only see an Google ip address in the access log
  2. When ticket is created, add the image as base64 or something like that, so it won't be requested by http
  3. Make an option to disable this behaviour
My original report:

Hi,


We just found out that it's possible to get the ip-address from the Agent opening a ticket in Zoho Desk; no interaction is needed just opening the ticket is enough. Just embed (using the <img> tag an remote image and that's it.


The agent ip-adress should never be revealed to a sender because it introduces security risks.


Steps to reproduce:

  1. Put an image somewhare on a website (where you have access to webserver logs) and be sure you disable browser caching for this image! eg. https://example.com/remote.png
  2. Email to Zoho Desk and embed an image (img html tag). eg https://example.com/remote.png
  3. Tail the http log and grab on the image (remote.png) you just embedded
  4. Open the new ticket in Zoho Desk
  5. Watch the log and see the request
  6. Reload the ticket
  7. Watch the log and see the request


The caching part is important because this makes it possible to see when an agent has opened the ticket everytime. If browser cache is enabled you will only 1 request.


    • Sticky Posts

    • Live Webinar - Work smarter with Zoho Desk and Zoho Workplace integration

      Hello customers! Zoho Desk and Zoho Workplace are coming together for a webinar on 14th May, 2024. Zoho Workplace is a suite of productivity apps for email, chat, docs, calls, and more at one single place. Zoho Desk is closely integrated with a few tools

    • Apple iOS 17 and iPadOS 17 updates for Zoho Desk users

      Hello Zoho Desk users! Apple recently announced the release of iOS 17 and iPad OS 17. These latest OS updates will help you stay productive and efficient, through interactive and seamless user experiences. Zoho Desk has incorporated the updates to help

    • Zoho Desk Partners with Microsoft's M365 Copilot for seamless customer service experiences

      Hello Zoho Desk users, We are happy to announce that Zoho Desk has partnered with Microsoft's M365 to empower customer service teams with enhanced capabilities and seamless experiences for agents. Microsoft announced their partnership during their keynote

    • Zoho Desk Cheat Sheet For The Year-End

      Check out these Zoho Desk best practices to end this year on a high and have a great one ahead! #1 Set Business (Holiday) Hours - If you have limited working hours, please make sure you restrict your business hours or set them as holidays for the coming days. Let your customers know when you will, and won't, be available. #2 Update the Annual Holiday List - Check the holidays for the new year and update the holiday schedule. Usually, holidays from the current year will be carried over for the next

    • Deprecation of older versions of ASAP Mobile SDK | Zoho Desk

      Hello, everyone.    Greetings from Zoho Desk ASAP!   In order to continue to deliver the best and most secure experience to our mobile SDK users. On account of the recent enhancements and updates to the mobile SDKs, we have planned to mark the older versions

    • Recent Topics

    • Add customer to account based on domain name.

      I generate reports based on a the account field, i.e. companyX.  In GoToAssist, my last provider, there was an option to automatically assign new ticket creators to a company (or account) based on their domain name. So for example, if a new employee creates a ticket from @companyx.com, for them to be automatically added to the companyx account would be a huge advantage.  As it stands right now, I have to remember to add them to the account manually.  Often I forget and when generating a report for

    • Facilitate business processes by mandating Kiosks in your Blueprint's transition settings

      Hello everyone, We've made a few enhancements to Kiosk Studio. Blueprints provide a structured and systematic approach to executing business processes, and you can use Kiosks to build custom capabilities to retrieve, collect, and execute actions on CRM

    • Response Violation - Zoho Desk

      Hi Team, I just need an information regarding the zoho desk - Response Violation and how can we avoid the tickets from getting the tickets response violated.

    • I need help in setting up a script that works for my calling service

      Please i need your guidance and expertise in how to go about a particular scripting. You see, we are a call service that assists companies to receive calls for them, i need to create a system in my Zoho CRM whereby i will receive call from my already

    • Zoho CRM Customer Portal Pricing Question

      Hello, I am trying to find out about the pricing for a portal that will be used for the contacts and a custom module. My client needs to use a customer portal for 15k users that will display the contact details and some informations to a linked custom

    • How to display Motivator components in Zoho CRM home page ?

      Hello, I created KPI's, games and so but I want to be able to see my KPI's and my tasks at the same time. Is this possible to display Motivator components in Zoho CRM home page ? Has someone any idea ? Thanks for your help.

    • Zoho developer edition does not work for us

      Hi Is anyone else having this problem? I'm signed in with our admin/super user account. When I click on the link on this page: https://www.zoho.com/crm/developer/docs/dev-edition.html I am asked to agree to Terms and Conditions. Clicking Agree to Terms

    • is zoho CRM down today ?

      Is zoho CRM down today ?

    • Export email adresses to email service provider (mailchimp or other)

      Hello, Is there a way to export a list of email adresses from a search in my Zoho Creator forms to an external email service (gmail, yahoo...) and initiate at the same time an email message that I will fill and send myself ? And what about Mailchimp,

    • is it possible to add more than one Whatsapp Phone Number to be integrated to Zoho CRM?

      so I have successfully added one Whatsapp number like this from this User Interface it seems I can't add a new Whatsapp Number. I need to add a new Whatsapp Number so I can control the lead assignment if a chat sent to Whatsapp Phone Number 1 then assign

    • Problem viewing document imported from google drive.

      Hello, When I add a document via my google drive, it is impossible to preview it. I get the error “Files without extensions cannot be previewed. Download to view this file”. Could you please help me? Also, and this is more of a question: is there a way

    • Launch Blueprint or Workflow Automation via Zoho Dataprep Import

      Greetings All, I'm curious - Is it possible to trigger a Blueprint or Workflow via Data Prep import? Thanks in Advance

    • Cross module filtering is now supported in CRM

      Editions: All DCs: All Release plan: This enhancement is being released in phases. It is now available in AU, JP, and CN DCs. Help resource: Advanced filters While the feature is being released in phases, you can also request for Early Access. Early Access

    • Posibility to add Emoticons on the Email Subject of Templates

      Hi I´ve tried to add Emoticons on the Subject line of Email templates, the emoticon image does show up before saving the template or if I add the Emoticon while sending an Individual email and placing it manually on the subject line. Emoticons also show

    • your phone line in the uk doesnt work i need help now

      i need to speak with customer service urgently

    • Bulk Delete Customer Contacts.

      Due to a config issue on my end (my fault), I have ALL contacts from CRM imported as contacts in Books. Some clients have 30+ contacts. Is there a funky way to bulk delete? Each contact has three clicks and a scroll to delete them.

    • Multiple domains for same username and password

      I've come across this situation the vault is currently suggessting the passwords autofill option by the domain. wondering whether is there any option to save one password for multiple domains since the microsoft login has two domains https://login.microsoftonline.com/

    • Introducing Bot Filtering for Accurate Email Campaign Analytics

      Dear Marketers, We're excited to announce a new feature designed to enhance the accuracy of your email campaign analytics: bot filtering. This feature helps you filter out bot-generated opens and clicks, ensuring your campaign reports reflect genuine

    • Option to specify or disable "Idle" times in preferences

      It seems strange to me that my Cliq shows me as "Idle" when I'm using the PC and available just because I haven't interacted with Cliq in a while.  I'm far from "Idle" so we're just treating "Idle" and "Available" to mean the same thing.  I'd like to suggest a setting to change the timeout or even disable the automatic "Idle" mode.

    • Lockable Due Dates

      Hello, is there a way to FIX due date of task or task list, so that they cannot be moved by linked task that are late? Like having a sort of "limit date" that would create an alert if not reached?

    • Link project tasks to tasks in CRM and/or other modules.

      Hello, I have created and configured a project in Zoho Projects with a set of tasks. I would now like to link these tasks (I imagine according to the ID of each one) to actions in the CRM: meetings, tasks, analytics). The aim is to link project tasks

    • Function #61: Automatically add free item to the invoice based on item quantity

      Hello everyone, and welcome back to another Custom Function Friday! During holiday seasons or special promotions, businesses offer deals like BOGO (Buy One, Get One), Buy 3 Get 1 Free, Buy 2 at 50% off, and much more to attract customers. These promotions

    • Regarding GST Report Issue in Zoho Books

      Hi, Right now, the very important point from my end is this Zoho Books issue. Here, you can see that we have created the invoice with the items of account sales and expenses. The journal is also correct. The profit and Loss statement is also correct.

    • Multiple Salesperson against an invoice

      Hello, Against a particular invoice, we have multiple sales people working. The reason we combine the invoice is becuase we are an exporter and often consolidate cargo for our customer to save them freight costs. How do I capture the contribution of each

    • Projectwise budget ---

      Can we have a Project wise subject in addition to the Monthly, and quarterly ACCOUNT LEVEL budget?

    • Looking back at Zoho Social's 2024: Highlights and memories

      Hey everyone, We hope you had a relaxing and joyous holiday season. Whether you're planning for the new year or still soaking in the magic of the season, we're here to share some exciting highlights from 2024 – a year that was fully packed with updates

    • Não foi possível enviar a mensagem;Razão:554 5.1.8 Email Outgoing Blocked.

      Preciso de ajuda não consigo enviar emails,conta recen criada

    • BIN Locations

      Hi, I’m new to Zoho inventory and unless Im missing something, I cannot find BIN locations anywhere in ‘items’? please tell me it’s there somewhere?!? Thanks

    • Building a Zoho Extension for Webex CC - Handling URL Changes

      Hi everyone, I’m building a Zoho extension for Webex Contact Center (Webex CC) and facing an issue with handling URL changes. In telephony, I’ve set the URL of Webex CC to: https://desktop.wxcc-us1.cisco.com/ When this URL remains the same, everything

    • Remove County field from Customer Address input screen (or allow input to be deleted)

      We are in the USA and have just noticed that there is now a County field in the Customer Address input screen (and maybe other areas of Zoho Books, but this is the one affecting us at the moment). County is not important to our business, and in fact we

    • Zoho still running very slow

      I have a lead log for my company and creator seems to be running extremely slow still.

    • Bigin API Token Request ("invalid_client")

      Hi people, I tried to connect to the API without success, I've read all of the documentation multiple time and tried just about everything. I tried to do it with Python Request module and with Postman, passing the information through both the URL parameter

    • Adding New Domain to Zoho mail

      Hi, I have one Zoho account already called for example "Awesome Animals". Under this account I have one domain already setup with zoho mail, example: - awesomecats.com I have another website as well which I want to add under this "Awesome Animals" account,

    • Shared Dashboard / Report Permissions : Read not Write

      hi all, We are missing a huge fonctionnalite in setting up Dashboards (and reports) on corporate level.  Currently, we can not set Read Permissions on share Dashboards (and reports) without giving write access as well When we create a corporate dashboard

    • Trying to catch error with ZOHO.CRM.HTTP.get (Response Code)

      Hello, I'm trying to get response header from ZOHO.CRM.HTTP.get, in order to catch error like 404 or something else but it seems that ZOHO.CRM.HTTP.get() method only returns the body of the response, and I see no way to access the headers returned. Is

    • Profile stitching with Zoho Marketing Automation

      When it comes to marketing, knowing who your audience is and tracking their interactions is vital. That's why Zoho Marketing Automation has taken a significant leap forward with its enhanced profile stitching feature. With this update, you can track your

    • GDPR

      Hi , I'm checking out the HIPPA capabilities and at the moment I can see only three modules that can be selected to enable HIPPA Any idea how I can add additional modules such as customers? TNX David

    • default task list for new project

      Is there any way to have a default task list already created in a project, when the project is created in Zoho Books?

    • Record less quantity than ordered in ZOHO inventory

      Lets say I ordered 100 widgets from a Vendor. I have paid the Vendor month ago and just waiting for the product to ship. I have finally received the products but have only received 80 widgets. I see no way in ZOHO to only receive 80 widgets. ZOHO is forcing

    • Stripe payments via Books invoice link missing email - affects fraud detection

      Hi, All our payments done via Books invoice link have a warning: Integration improvement available This transaction is missing customer email address, which affects fraud detection. Why doesn't Books pass this info to zohosecurepay.eu/books/... for more

    • Next Page