Summary: A serious vulnerability in Zendesk’s email management system, identified as CVE-2024-49193, exposes companies to email spoofing attacks that can compromise sensitive support ticket histories. Despite initial dismissals from Zendesk, the flaw has prompted urgent action from affected companies to mitigate risks.
Threat Actor: Unknown | unknown
Victim: Zendesk Users | Zendesk
Key Point :
- The vulnerability allows attackers to spoof emails and gain unauthorized access to sensitive ticket histories.
- Attackers can easily estimate ticket IDs due to their incremental nature, facilitating widespread exploitation.
- Despite the severity of the issue, Zendesk initially dismissed the vulnerability as out of scope for their bug bounty program.
- Daniel’s reporting led to significant bounties from affected companies, highlighting the importance of robust security measures.
- Zendesk has since patched the vulnerability after facing pressure from the security community.
In a detailed analysis by security researcher Daniel, a serious vulnerability in Zendesk’s email management system, tracked as CVE-2024-49193, has been revealed. This flaw exposes companies using Zendesk to a dangerous email spoofing exploit that allows unauthorized access to sensitive support ticket histories. Despite initial dismissals of the report by Zendesk, the gravity of the issue has become clear, forcing companies to take immediate action.
As outlined by Daniel, the vulnerability is rooted in Zendesk’s handling of email collaborations. Zendesk automatically generates a reply-to address, such as support+id{id}@company.com, for every ticket. This system is meant to help companies track email threads related to support requests. However, a significant oversight in Zendesk’s email spoofing protections allows attackers to exploit this system.
Daniel explains the simplicity of the attack: “If an attacker knew the support email address and the ticket ID (which are usually easy to guess since ticket IDs are incremental), they could use email spoofing to impersonate the original sender.” By sending a forged email to Zendesk, the attacker can CC their own email and effectively gain full access to the entire ticket history, which may contain sensitive information.
This flaw was discovered earlier this year, and despite Daniel’s quick reporting to Zendesk through their bug bounty program, the response was less than ideal. The bug was dismissed as “out of scope” because it relied on email spoofing, which Zendesk considered outside the scope of its HackerOne program. However, Daniel notes, “It was unbelievable” that such a significant security risk was dismissed so casually.
One of the most concerning aspects of CVE-2024-49193 is the widespread potential for abuse. Daniel’s analysis shows that the vulnerability allows attackers to brute-force or estimate ticket IDs, making it possible to target numerous Zendesk instances. Since ticket IDs are often incremental, once an attacker estimates a range of ticket numbers, they can begin exploiting the system.
The attacker’s steps are simple but effective. They send spoofed emails from legitimate-looking addresses, targeting tickets within the estimated range. By manipulating Zendesk’s email collaboration feature, they can add themselves to any ticket and view its complete history. “This meant an attacker could effectively join any ongoing support conversation, and read sensitive information—all because Zendesk didn’t have proper safeguards against email spoofing,” Daniel highlights.
Once Daniel replicated the exploit, he began individually reporting the vulnerability to companies using Zendesk. Some companies reacted swiftly, disabling Zendesk’s email collaboration feature to close the security hole. Over the course of his reporting, Daniel earned over $50,000 in bounties from affected companies. However, the reaction from Zendesk itself was slower. It wasn’t until several companies applied pressure that Zendesk began taking the vulnerability seriously.
Daniel’s work has forced companies and Zendesk to reevaluate their security measures. His analysis uncovered how simple mistakes, like insufficient spoofing protections, can lead to widespread security risks. Zendesk has since patched the issue, but only after facing significant backlash from the security community.