Zendesk Email Bombing: Hackers Abuse Customer Support Platform

Zendesk Security Flaw⁣ Enables ⁢Mass Email Abuse‍ Campaign Targeting Users

SAN FRANCISCO, CA – A critical security vulnerability in the popular customer ​service platform, Zendesk, is allowing cybercriminals to flood targeted email inboxes with malicious messages appearing to originate from legitimate companies. Security researcher Brian ⁣krebs of KrebsOnSecurity was the first to report the widespread abuse, receiving‌ thousands of ⁤threatening and harassing emails seemingly sent ​by a diverse range of Zendesk customers, including major brands like capcom, CompTIA, Discord, GMAC, NordVPN, The Washington Post, and Tinder.

Zendesk provides automated help desk ‌services, streamlining customer support interactions for businesses. Though, the current issue stems from a configuration flaw allowing anonymous users to submit ⁤support requests without email verification. This loophole enables⁤ attackers to leverage Zendesk’s auto-responder feature, sending emails with ⁢customized subject lines – in krebs’​ case, containing false warnings of law enforcement investigations and personal insults – directly from‌ the compromised customer’s email domain.

Crucially, these​ abusive emails aren’t ‍originating from Zendesk itself, but from the email⁢ addresses‌ associated with the affected ⁤businesses, ⁢such as help@washpost.com in the ‌case of The Washington Post (see image below).

[Image of email from The Washington Post as provided in the source]

Zendesk⁣ acknowledged the issue, explaining that some customers intentionally configure their systems to allow⁤ anonymous ticket submissions for business reasons. While the company recommends verifying user ⁢email addresses, it allows for versatility, creating the vulnerability now being exploited.

“These types of support tickets can be part of a customer’s ​workflow, where‍ a prior verification is not required to allow them to engage and make use of the Support capabilities,” stated Carolyn Camoens, communications director at Zendesk. “Though, this method can also be used for spam requests to be created on behalf of third party email addresses…allowing for the ticket notification email to be sent from our customer’s accounts.”

Zendesk ⁣claims to⁣ have rate limits in place⁢ to mitigate high-volume ⁣abuse,but these proved insufficient‌ to prevent the recent‍ attack,which inundated KrebsOnSecurity with thousands of messages in a short period. The company says it​ is indeed actively‍ investigating ‌additional preventative​ measures and advising customers to⁤ implement ⁢authenticated ticket creation workflows.

The Root Cause: Lack of Email Authentication

The core of the problem lies in the failure of Zendesk customers ⁢to validate the email addresses of support⁤ request submitters.While this may simplify the⁣ support​ process, it opens the door for malicious actors to exploit the system and damage the sender’s reputation through disruptive and potentially harmful ⁣email ‍campaigns.

This incident underscores the importance of robust email authentication protocols and highlights the⁤ potential consequences of prioritizing convenience over security in‌ customer service platforms.