On March 19th, 2018, Zendesk was notified about a vulnerability affecting a small subset of email ticket notifications. The vulnerability would allow an unauthorized person to add themselves to a ticket via email by leveraging an ID known only to ticket participants. This vulnerability did not affect the security of information stored on the Zendesk platform. However, it could have potentially allowed access to external, non-Zendesk services that do not vet specific email addresses, but instead only check the domain name when a user is added.
In order to mitigate this issue, we’ve released a product enhancement by changing our handling of ticket replies via email from third parties. A third party is defined as a person who is neither the ticket requester nor someone already listed as a CC on a ticket.
The most common use case would be an email notification that gets forwarded to a third party who is not a requester or CC on the ticket. If that party replied to the ticket via email, we would add that person as a CC on the ticket and post their reply to the ticket as a public comment, and a flag would be shown to warn that a third party was not previously part of the conversation.
Ticket replies via email that originated from third parties will now be rendered as private comments on a ticket. The warning flag that was previously shown will continue to be shown. An agent, the requester, or a CC on the ticket must add the third party as a CC to allow future replies from them to be public.
What You Should Do
Based on our analysis, this is not a common workflow and limited to a very small subset of our customers’ email ticket workflows. If however, your workflow requires the introduction of third party individuals to a ticket, your agents will need to manually add the third party as a CC so that future replies from that person will be rendered as public comments. Since third party comments will start as private, they will need to be copied and quoted manually if all participants on the ticket need to see the comment.
We realize that this may be an inconvenience for some specific workflows. In many cases security becomes a balance against ease of use. Our primary concern is the security of our customers, so we’ve made this change in support of that concern.
If this change is disruptive to your current business processes, please reach out to our support team and we can explore potential solutions together. Please submit a ticket with “Third Party Change” in the subject along with any pertinent details. Alternatively, you can send email to firstname.lastname@example.org.