Hello Zendesk Peoples,
A security fix that was implemented in product earlier this year has had a negative impact on Zendesk customer that leverage the product for providing external facing support. The ability of end user's and agents to clearly communicate with each other and others at the end users organization has been impacted.
The below update effectively forces an end-user to login to the support portal to add a co-worker to a ticket. This is sub-optimal as it is asking the end-user to take additional steps. When an end-user CC's a co-worker, only agents then have visibility into the new comments. There is no method for the Agent to convert a Private Comment to a Public Comment, only compounding the issue of lack of visibility by other end-users on the ticket. In short, the best of intentions to plug the below security issue has lead to a state where agents have to ask the customer / end-user to do an agents job for them. This leads to bad support interactions and lower NPS scores. As a support provider, I should never have to ask a customer to take an action to make notes visible to a co-worker at the customers business.
"Zendesk was notified about a vulnerability within our ticket CC feature of the Support application. The vulnerability allowed a malicious user to add themselves to a ticket via email by leveraging an ID known only to ticket participants. However, this could be abused to access 3rd party services that do not vet specific email addresses, but instead only check the domain name when adding a user to their services.
On March 22, 2018, Zendesk deployed a security fix in response to a detected vulnerability. This fix was pushed in order to close the vulnerability but will impact certain workflows relying on ticket CCs.
In order to mitigate this issue, we’re changing our handling of ticket replies via email from third parties. A third party is defined as a person who is neither the ticket requester nor someone previously listed as a CC on a ticket. Ticket replies via email that originated from a third party will now be rendered as private comments on a ticket. An agent, the requester, or a CC on the ticket must add the third party as a CC to allow future replies from them to be public."
Please sign in to leave a comment.