UPDATED: August 8, 2019 with LogMeIn Rescue details.
While recently investigating a report by a developer, we determined that API tokens in three Zendesk integration apps, built and distributed by Zendesk, were being returned to agents as part of their browser session. The three affected integration apps were: Shopify, Magento, and Highrise. On August 8th, we announced a fourth and final affected integration: LogMeIn Rescue.
These tokens were not intended to be disclosed outside of the connection between Zendesk and the third party service. This means the API token could be retrieved by an Agent using the app on their Zendesk account.
The API token was only accessible to agents, and not others outside your organization. An agent that maliciously retrieved an exposed token could read data in your linked application. It is unlikely that agents would inspect their browser traffic and maliciously exploit the exposed tokens, but we thought it best to let you know about this discovery. At this point in time, we have no indication any malicious activity occurred as a result of this vulnerability.
How did this happen?
This issue happened due to a security vulnerability introduced by Zendesk developers when they developed these applications. Zendesk exposes functionality, our “Secure Settings”, to app developers to protect sensitive tokens when used by a Zendesk app. In these three cases, our developers did not consistently leverage this Zendesk security feature. We have taken multiple steps to resolve this issue and apologize for any difficulty this may have caused.
What has Zendesk done to protect its customers?
Once we identified this issue, we released updated versions for the Shopify integration on July 11, and the Magento integration on July 15. These new versions leverage “Secure Settings” to protect the token. For Shopify customers, we automatically rotated all customer tokens on July 22, fully protecting these users.
We removed the Highrise integration application from our app marketplace on July 18, and deprecated the application on July 23rd. An end-of-life was already being planned for this application due to limited usage, and was expedited to protect customers.
We removed the LogMeIn Rescue integration application from our app marketplace on July 18, and released a temporary fix on July 25th. However, after identifying a variant of the original issue, we deprecated the application on August 8th.
We have notified all impacted account owners and admins via In-Product-Message or Email in some cases.
What you should do
Customers using the Shopify integration need not take further action to be protected. However, they may wish to investigate whether malicious use of their integration API tokens has taken place. At this point in time, Zendesk is not aware of any malicious exploitation of this vulnerability.
Customers using the Zendesk Magento app that integrates with Magento M1 will need to rotate their Magento API token. Instructions to do so can be found here.
Customers using the Highrise integration do not need to take further action, but will notice that the Highrise integration is no longer available to them. We have reached out to customers directly to make them aware.
Customers using the LogMeIn Rescue integration will notice that the LogMeIn integration is no longer available to them and will need to rotate their token (the LogMeIn Single-Sign-On Password) manually in order to ensure their account continues to be appropriately secured. You can do so by following the instructions here. We have reached out to customers directly to make them aware.
We take your security seriously and we’re here to support you. If you have any questions or concerns, please contact us at firstname.lastname@example.org.
In the event of a suspected security incident, please submit a ticket with “Security” in subject along with any pertinent details. Alternatively, you can send email to email@example.com or call the customer support line at +1 415-418-7506 (Americas, US), +44 20 3355 7960 (Europe, UK), +61 3 9008 6775 (Asia-Pacific, Australia).