Zendesk Security Flaw Enables Mass Email Abuse Campaign Targeting Users
SAN FRANCISCO, CA – A critical security vulnerability in the popular customer service platform, Zendesk, is allowing cybercriminals to flood targeted email inboxes with malicious messages appearing to originate from legitimate companies. Security researcher Brian krebs of KrebsOnSecurity was the first to report the widespread abuse, receiving thousands of threatening and harassing emails seemingly sent by a diverse range of Zendesk customers, including major brands like capcom, CompTIA, Discord, GMAC, NordVPN, The Washington Post, and Tinder.
Zendesk provides automated help desk services, streamlining customer support interactions for businesses. Though, the current issue stems from a configuration flaw allowing anonymous users to submit support requests without email verification. This loophole enables attackers to leverage Zendesk’s auto-responder feature, sending emails with customized subject lines – in krebs’ case, containing false warnings of law enforcement investigations and personal insults – directly from the compromised customer’s email domain.
Crucially, these abusive emails aren’t originating from Zendesk itself, but from the email addresses associated with the affected businesses, such as help@washpost.com in the case of The Washington Post (see image below).
[Image of email from The Washington Post as provided in the source]
Zendesk acknowledged the issue, explaining that some customers intentionally configure their systems to allow anonymous ticket submissions for business reasons. While the company recommends verifying user email addresses, it allows for versatility, creating the vulnerability now being exploited.
“These types of support tickets can be part of a customer’s workflow, where a prior verification is not required to allow them to engage and make use of the Support capabilities,” stated Carolyn Camoens, communications director at Zendesk. “Though, this method can also be used for spam requests to be created on behalf of third party email addresses…allowing for the ticket notification email to be sent from our customer’s accounts.”
Zendesk claims to have rate limits in place to mitigate high-volume abuse,but these proved insufficient to prevent the recent attack,which inundated KrebsOnSecurity with thousands of messages in a short period. The company says it is indeed actively investigating additional preventative measures and advising customers to implement authenticated ticket creation workflows.
The Root Cause: Lack of Email Authentication
The core of the problem lies in the failure of Zendesk customers to validate the email addresses of support request submitters.While this may simplify the support process, it opens the door for malicious actors to exploit the system and damage the sender’s reputation through disruptive and potentially harmful email campaigns.
This incident underscores the importance of robust email authentication protocols and highlights the potential consequences of prioritizing convenience over security in customer service platforms.
