Support: Restrict Attachments by File Type

Geplant

47 Kommentare

  • Offizieller Kommentar
    Chika Chima
    Zendesk Product Manager

    Hello!

    We are set to start the rollout of the Malware Scanning feature in Support June 27, 2022. There will be an official announcement on the help center on June 27, 2022. As of now here is documentation what the feature will entail.

    This feature will not have restriction of file attachment, however we know how important having that capability and will continue to investigate that in the future

  • Luiz Carlos Poleza Junior

    I did install the plugin, however it does NOT BLOCK users from uploading restrict filetypes.

    The ticket open as unusual, and the attachment is still visible from Support (although restricted, but this can also be circunvented by agents)

    We need a option to REJECT or to BLOCK UPLOAD for certain filetypes

    6
  • Alexandra Hjert

    Second the need for this. Without this malicious files can be downloaded and it is also a GDPR risk if we're unable to remove sensitive information.

    https://support.zendesk.com/hc/en-us/articles/215768848-Are-incoming-ticket-attachments-scanned-for-viruses-

    https://support.zendesk.com/hc/en-us/community/posts/360032044793-Product-Feature-Request-Virus-Scanning-on-Attachments-or-Limiting-File-Types

     

    2
  • Product Team

    Is there any further updates on this?  It's making life very difficult for our users and agents as our security team will not let us allow attachments in the current set-up.

    Thanks.

     

    2
  • Fikri Hedianto

    Hi @...,

     

    Are there any update on this product roadmap?

     

    Thanks

    2
  • Damien Messé

    Hello, I have also been contacted by the security team to restrict the upload of files following a message from a bug bounty hunter about this breach.

    Any solution proposed by Zendesk to restrict the upload of certain type of file ?

    2
  • WRO Jacuk-Zurak, Marta

    Hello,

    We have same problem, the restriction on attachments added by End Users is available on Chat. But when a Customer get into Help Center -> My Activities portal he can upload any type of attachments. It is risky as user can upload there anything and our security contacted us as they found it as a bug.

    Any solution that is going to be implemented on Help Center for this bug?

    Thanks

    2
  • Sydney Neubauer

    This has also been brought to our attention. We have the redact app however most of our Agents do not have delete permissions so it is useless to them. 

     

    We need the ability to prevent the attachments from even making it to Zendesk. It is a security concern with a level 1 priority.

    2
  • Gareth Elsby

    We have also highlighted this to Zendesk as a security issue after having it highlighted by our internal bug bounty program. Malicious actors are able to upload attachments via a support ticket. Our agents are at risk of receiving them, but the file is also able to be served to anybody by grabbing the file from Zendesk's CDN and hotlinking to it. Please see reproduction steps from our report:

    1)Vist example.zendesk.com.
    2)Navigate to Submit a request -->Enter details & in file upload section as an attacker I'm able to upload execution files such as .php ,.aspx files
    3)Taking it to further I deleted these files when checked these files are still accessible and stored at backend.
    4)This leads to help centre can be used as Temporary drive.

    Now I for one do not want my company's subdomain being used as a filestore for serving malicious files and I'm confident that no other customers do either. This issue needs to be brought back on to the roadmap asap as a security issue. 

    At the very least, incoming attachments should be scanned by Zendesk for exploits and removed. The respective support ticket can be informed of this action by Zendesk. 

    2
  • Anastasia Kachanova

    +1 here

    Zendesk admins should have granular control over attachment types for email and forms. 

    We do not want to use any 3rd party app and prefer to see this solution provided directly by Zendesk (preferably directly in the Admin center settings and not as another app)

    2
  • Justin

    Agree with this. We have to restrict our agents to using a 3rd party for file transfer where we can control what type of files are being passed back and forth. Given this is an option in Chat, this seems like a no-brainer.

    1
  • Mathew luby

    Would also like to know if this is on the roadmap and when it will be available? 

    1
  • Jon Hall

    +1 for attachment control. You can do it in Zopim chat, just not the main tool. Not having this feature entails security risk or limitation of functionality if switched off. 

    If this is on roadmap should be possible to share an ETA?

    1
  • Permanently deleted user

    I second what @... said. This app does not block users from uploading unwanted attachments, it just gives the agent the ability to manage them. This is totally useless from our perspective. The whole point is to prevent the user from uploading unwanted file types. If they can upload them, they think we are able to see them. For example, EML files. We can't readily open those and read the email that someone thinks they sent us. We want the user to know at the moment they attach it that we do not accept that particular file type. Same goes for security risk file types, like zip and exe.

    1
  • Jest Paint - Santi

    So, 2 years have passed since this very important issue was raised... any improvements on this end?
    How about implementing DMARC tools for even more safety on incoming emails?

    1
  • Gareth Elsby

    How's the Malicious file scanner working for Zendesk?

    I ask this because 2K games were hacked yesterday, and a malicious actor was able to upload a trojan games launcher to Zendesk's CDN and serve a download link to numerous customers.

    This is pretty much what I was warning last year.

    Now, granted, the breach into Zendesk was the fault of 2K games, but if a bad actor could upload a malicious attachment, it doesn't give me much confidence that customer uploads are being scanned either. It would be good to have some sort of comment on this, as it's only a matter of time before our security team come knocking on my door and asking uncomfortable questions.

    1
  • Anton Van Heerden

    +1 for the ability to have a whitelist of allowed file types. There are ways to build custom restrictions in the Help Center templates but that is not s secure way to do it. We need an admin or perhaps even owner only driven config setting that allows only certain types of attachments. 

    1
  • Ryan Worthen

    This is definitely a pain point for us as new users with Zendesk. We're receiving a variety of attachments and would like to have granular control to determine allowable types. I tried the Attachment Manager plugin, but it's not very helpful. For one, the plugin doesn't work as it claims; we added htm and html files as invalid types so they would be rejected, but they are still coming through just fine. Secondly, we don't want to accept zip files, but the rejection message sent by the app tells users: 

    "If you meant to send this file then please
    package it up as a zip file and resend it."

    There is no way to customize this message, so this support app is of little use to us.
    1
  • Rene-Christian.Foidl

    I agree with this. We'd like to restrict the file types we are receiving in order to prevent file types that could do harm on download/opening. Furthermore, we would like to restrict the amount of files that can be uploaded as well as the total file size that can be uploaded. Currently there is an unlimited amount of files that can be uploaded so although there is a possible single file limit of 50mb, you can apparently upload an unlimited amount of files with 50mb

    1
  • Vincenzo

    HI,

    As administrator I need to be able to exclude certain types of attachments and prevent agents from downloading them (e.g. .exe)

    1
  • Atanas Tomov

    +1 on this. Definitely a must have functionality especially for companies dealing with sensitive documents and are subject to GDPR.

    1
  • Jenny Hertel

    Hello,

    We urgently need a function in the contact form to allow only certain files as attachments.
    With regard to the security of our internal system, we cannot allow attachments that may contain viruses and malware.
    It is very risky to allow Excel files, Word files, zip files, etc.
    As soon as an internal employee processes the request and is not careful when downloading, the entire system is down in seconds.
    After asking support, we were recommended the "attachment manager" app, but unfortunately this only shows which files are invalid.
    The files can still be downloaded without any problems.

    We urgently need a solution, otherwise we cannot allow attachments in the contact form, which simply makes the contact form unusable for the end user.

    Thank you very much.

    1
  • Gentry Geissler
    Zendesk Customer Care

    Hi all! 

    I checked with a couple of those on our Product team and they've stated they have attachment control on the roadmap for development. However, it's not something that I can give an exact ETA for, unfortunately.

    Security is very important to Zendesk, and I personally think this will also be a great feature to be added when it gets here!

    Alexandra, you mentioned also wanting to remove attachments that have been added to a ticket, and that gave me a thought. If you haven't heard of this before, our Ticket Redaction App allows for removal of attachments once they've hit your account. If you have any further GDPR questions make sure you contact privacy@zendesk.com!

    I hope that helps.

    0
  • Nicole Saunders
    Zendesk Community Manager

    Hi SDS - 

    We do not have any further updates at this time. 

    0
  • Ticket Team

    Pretty horrible this is not an option.  Not sure why it's not.  Shows security wasn't the first priority when creating the product.  We have had many attempts of Ransomware that are allowed through the ticket system.  A $50 home firewall has these options.

    0
  • Charlie

    Hi All,

     

    Zendesk have an App for this - made by themselves, not a third party - it's free! It has the feature of blocking / allowing by extension and also allows a few other useful features.

    Its called "Attachment Manager"

    0
  • Carl McDowell
    Zendesk Customer Care

    Like Charlie mentioned you can use this free app from the marketplace which has an allow/block list.

    Marketplace link: https://www.zendesk.com/apps/support/attachment-manager/

    Description:
    Attachment Manager is a collection of apps that allows you to work with and manage ticket attachments. It combines Attachment Library, Attachment Restriction, Attachment Tagger (formerly Attachment Finder) and the Redact Attachments App. Attachment Manager combines the functionality of these apps into one sidebar experience. It allows an agent to open and close various apps using an accordion-style interface.

    0
  • Adam

    I'd like to +1 this request.

    We use Zendesk for our DMCA/Abuse tickets, and some users will submit attachments with very graphic content.

    We need our customers to attach files, but the issue we are seeing is the thumbnail that appears in the ticket feed. If we get a jpg our staff can be exposed to some unpleasant sights.

    We've like to be able to prevent previews of these thumbnails.

    ------------------------------------------------------------------------------->>>>>>>>>>

    0
  • Amisha Sharma
    Zendesk Product Manager

    Hey all,

    I just wanted to thank you for taking the time to share your feedback with us! At this time, this isn’t something we are able to fit into our roadmap. We are focusing our resources on composer stability and a few other highly requested features.

    Regarding our composer stability efforts, we are working towards migrating all composers to use the same technology so that any bugs reported can be easier and faster for us to fix and manage.

    While we cannot look into this within the next 6-12 months, we have added your feedback to our backlog for future review.

    0
  • Dave Dyson
    Hi Gareth, thanks for this feedback – I see the ticket you're referring to, and that has been escalated to our security team to have a look.
    0

Bitte melden Sie sich an, um einen Kommentar zu hinterlassen.

Powered by Zendesk