[Security] Sender can reveal Agents IP without user interaction

[Security] Sender can reveal Agents IP without user interaction

Hi,

I'm a little bit frustrated here. I reported a security issue (in my eyes)  to the bug-bounty program of Zoho. But it's being refused and the judgement is: "No security issue" . So that's why i'm publicing it here, curious what other people think about this.

The outline is that someone can mail our support desk and can get the following information:
  1. IP of the Agent (re)opening the ticket
    1. this IP is valuable information for hackers because it might be an Office or VPN ip
    2. The IP might reveal the location of an agent, depending how accurate the IP database is
  2. timestamp of ticket being opened
Just by using an img tag in the mail.  

To make things clear:
  1. I do not care about getting a bounty; I care for my agents and our organisation security
  2. It's not about the agent is manually opening a link in a ticket, it's about opening links without user interaction. 
  3. Zoho has read-receipt disabled by default. Obviously because of privacy reasons ..... This issue provides even more info then a read-receipt.
Some possible solutions:
  1. Zoho will sent all remote requests over a proxy. Gmail also does this, so you only see an Google ip address in the access log
  2. When ticket is created, add the image as base64 or something like that, so it won't be requested by http
  3. Make an option to disable this behaviour
My original report:

Hi,


We just found out that it's possible to get the ip-address from the Agent opening a ticket in Zoho Desk; no interaction is needed just opening the ticket is enough. Just embed (using the <img> tag an remote image and that's it.


The agent ip-adress should never be revealed to a sender because it introduces security risks.


Steps to reproduce:

  1. Put an image somewhare on a website (where you have access to webserver logs) and be sure you disable browser caching for this image! eg. https://example.com/remote.png
  2. Email to Zoho Desk and embed an image (img html tag). eg https://example.com/remote.png
  3. Tail the http log and grab on the image (remote.png) you just embedded
  4. Open the new ticket in Zoho Desk
  5. Watch the log and see the request
  6. Reload the ticket
  7. Watch the log and see the request


The caching part is important because this makes it possible to see when an agent has opened the ticket everytime. If browser cache is enabled you will only 1 request.


    Zoho Desk Resources

    • Desk Community Learning Series


    • Digest


    • Functions


    • Meetups


    • Kbase


    • Resources


    • Glossary


    • Desk Marketplace


    • MVP Corner


    • Word of the Day


      • Sticky Posts

      • Live Webinar - Work smarter with Zoho Desk and Zoho Workplace integration

        Hello customers! Zoho Desk and Zoho Workplace are coming together for a webinar on 14th May, 2024. Zoho Workplace is a suite of productivity apps for email, chat, docs, calls, and more at one single place. Zoho Desk is closely integrated with a few tools
      • Apple iOS 17 and iPadOS 17 updates for Zoho Desk users

        Hello Zoho Desk users! Apple recently announced the release of iOS 17 and iPad OS 17. These latest OS updates will help you stay productive and efficient, through interactive and seamless user experiences. Zoho Desk has incorporated the updates to help
      • Zoho Desk Partners with Microsoft's M365 Copilot for seamless customer service experiences

        Hello Zoho Desk users, We are happy to announce that Zoho Desk has partnered with Microsoft's M365 to empower customer service teams with enhanced capabilities and seamless experiences for agents. Microsoft announced their partnership during their keynote
      • Zoho Desk Cheat Sheet For The Year-End

        Check out these Zoho Desk best practices to end this year on a high and have a great one ahead! #1 Set Business (Holiday) Hours - If you have limited working hours, please make sure you restrict your business hours or set them as holidays for the coming days. Let your customers know when you will, and won't, be available. #2 Update the Annual Holiday List - Check the holidays for the new year and update the holiday schedule. Usually, holidays from the current year will be carried over for the next
      • Deprecation of older versions of ASAP Mobile SDK | Zoho Desk

        Hello, everyone.    Greetings from Zoho Desk ASAP!   In order to continue to deliver the best and most secure experience to our mobile SDK users. On account of the recent enhancements and updates to the mobile SDKs, we have planned to mark the older versions

      Zoho CRM Plus Resources

        Zoho Books Resources


          Zoho Subscriptions Resources

            Zoho Projects Resources


              Zoho Sprints Resources


                Zoho Orchestly Resources


                  Zoho Creator Resources


                    Zoho WorkDrive Resources



                      Zoho Campaigns Resources

                        Zoho CRM Resources

                        • CRM Community Learning Series

                          CRM Community Learning Series


                        • Tips

                          Tips

                        • Functions

                          Functions

                        • Meetups

                          Meetups

                        • Kbase

                          Kbase

                        • Resources

                          Resources

                        • Digest

                          Digest

                        • CRM Marketplace

                          CRM Marketplace

                        • MVP Corner

                          MVP Corner




                          Zoho Writer Writer

                          Get Started. Write Away!

                          Writer is a powerful online word processor, designed for collaborative work.

                            Zoho CRM コンテンツ




                              ご検討中の方