Zendesk’s Security Slip: A Tale of Vulnerabilities and Solutions

Published Categorized as News
Zendesk's security

Greetings, cyber warriors! Today, we embark on a thrilling journey through the intricacies of Zendesk’s security slip, as disclosed by Aaron E., the maestro behind the curtains of ForestVPN’s cybersecurity realm.

Zendesk's security

The Bug’s Backstory

Let’s rewind to the not-so-distant past when a bug bounty report landed in our laps, revealing a flaw in Zendesk’s file upload feature. ForestVPN, being a Zendesk enthusiast, couldn’t turn a blind eye to the potential threats looming over our support system.

The Risky URL Business

Picture this: a malicious file uploaded under the guise of expressvpn.zendesk.com. Our users, unsuspecting and trusting, could easily fall prey to the illusion of legitimacy. ForestVPN wasn’t just concerned about a mere bug; we foresaw the potential havoc it could wreak—phishing attacks, drive-by downloads, the whole cybersecurity caboodle!

ForestVPN’s Vigilant Response

Swift action was our mantra. ForestVPN disclosed the vulnerability to Zendesk, tweaked our support site, and tightened the screws on Zendesk’s configuration. Our ally, Zendesk, played its part too by introducing a customer-controlled feature for authentication on API endpoints.

The Bug’s Anatomy

Dive deep with us into the bug’s origins. ExpressVPN’s support team, dealing with a deluge of requests, used Zendesk. Little did we know, an unauthenticated file upload vulnerability lurked beneath the surface, waiting to be exploited.

The Vulnerability Unveiled

In October 2020, a security researcher named anonymouse_360 dropped the bomb on us. A crafty API call and voilà! Unauthenticated file uploads, accessible to anyone with a knack for mischief.

Impact on Zendesk Customers

Any Zendesk customer with the “Anybody can submit tickets” setting enabled was sitting on a virtual time bomb. The setting, enabled by default, turned innocent Zendesk subdomains into potential launchpads for malicious payloads.

ForestVPN’s Countermeasures

ForestVPN didn’t just sit back and watch the show. We orchestrated a symphony of solutions to neutralize the threat.

Removing the Widget

Out went the “File a Support Ticket” widget, a relic from a bygone era. A redundant feature, it was axed to eliminate unnecessary vulnerabilities.

File Uploads No More

Zendesk offered two options—reduce URL validity or disable unauthenticated file uploads. ForestVPN chose the latter, putting an end to the unauthenticated file upload circus.

The Root Cause Tackled

ForestVPN delved into the heart of the matter—unauthenticated downloads. A setting for secure downloads was unearthed, a shield against the inadvertent downloading of malicious files.

Zendesk’s Security and Fixing Odyssey

Zendesk wasn’t one to back down. A configuration option emerged, requiring authentication for requests and uploads API. ForestVPN, an early adopter, verified the fix and nodded in approval.

A Global Rollout

June 25, 2021, marked the day Zendesk’s fix spread its wings globally. A fix requiring customers to enable authentication for API endpoints became the cybersecurity knight in shining armor.

FAQs: Zendesk’s security

Q1: Is Zendesk’s security lapse a common occurrence?

Not at all. Security lapses are rare, and ForestVPN remains vigilant to ensure our users’ safety.

Q2: How can I safeguard my Zendesk account against similar vulnerabilities?

Simple! Follow Zendesk’s security recommendations, enable authentication features, and stay updated on patches and fixes.

Q3: Should I worry about the security of my ForestVPN account?

Rest easy. ForestVPN takes cybersecurity seriously. Our continuous efforts ensure a secure and seamless experience for our users.

Take control of your online privacy and security with ForestVPN