Varonis finds and discloses a Zendesk flaw that could have compromised customer accounts. Zendesk has now patched its product.
Zendesk vulnerability discovered.
Researchers at Varonis have discovered a vulnerability in the customer support product Zendesk that could have allowed attackers to access customer accounts.
Vulnerabilities affect Zendesk Explore.
The researchers found a SQL injection vulnerability and a logical access flaw that affected the product’s reporting and analytics tool Zendesk Explore, which is disabled by default. The researchers state that “the flaw would have allowed threat actors to access conversations, email addresses, tickets, comments, and other information from Zendesk accounts with Explore enabled”:
“To exploit the vulnerability, an attacker would first register for the ticketing service of its victim's Zendesk account as a new external user. Registration is enabled by default because many Zendesk customers rely on end-users submitting support tickets directly via the web. Zendesk Explore is not enabled by default but is heavily advertised as a requirement for the analytic insights page.”
Zendesk quickly issues patch.
Zendesk promptly developed a patch for the flaw after being notified by Varonis:
“There is no evidence that any Zendesk Explore customer accounts were exploited, and Zendesk started working on a fix the same day it was reported. The company fixed multiple bugs in less than one workweek with zero customer action required.