Support: Restrict Attachments by File TypeAnswered
Zendesk Support provides the ability to restrict customers from adding attachments, or to enable all attachments:
However, this is a global setting and there's no granular control. Many businesses would find their security posture greatly enhanced by the ability to filter allowed attachments by type. For example, some businesses might find image and PDF attachments useful, but would need to block certain other document types and ZIP files.
Please consider empowering admins to exercise greater control over what email attachments can be added by end users to a Zendesk Ticket by allowing them to set allowable attachments by type. This is already possible with the Chat service: https://support.zendesk.com/hc/en-us/articles/360022183834-Managing-file-sending-options
We are set to start the rollout of the Malware Scanning feature in Support June 27, 2022. There will be an official announcement on the help center on June 27, 2022. As of now here is documentation what the feature will entail.
This feature will not have restriction of file attachment, however we know how important having that capability and will continue to investigate that in the future
Agree with this. We have to restrict our agents to using a 3rd party for file transfer where we can control what type of files are being passed back and forth. Given this is an option in Chat, this seems like a no-brainer.
Second the need for this. Without this malicious files can be downloaded and it is also a GDPR risk if we're unable to remove sensitive information.
I checked with a couple of those on our Product team and they've stated they have attachment control on the roadmap for development. However, it's not something that I can give an exact ETA for, unfortunately.
Security is very important to Zendesk, and I personally think this will also be a great feature to be added when it gets here!
Alexandra, you mentioned also wanting to remove attachments that have been added to a ticket, and that gave me a thought. If you haven't heard of this before, our Ticket Redaction App allows for removal of attachments once they've hit your account. If you have any further GDPR questions make sure you contact firstname.lastname@example.org!
I hope that helps.
Is there any further updates on this? It's making life very difficult for our users and agents as our security team will not let us allow attachments in the current set-up.
Hi SDS -
We do not have any further updates at this time.
Pretty horrible this is not an option. Not sure why it's not. Shows security wasn't the first priority when creating the product. We have had many attempts of Ransomware that are allowed through the ticket system. A $50 home firewall has these options.
Are there any update on this product roadmap?
Would also like to know if this is on the roadmap and when it will be available?
Zendesk have an App for this - made by themselves, not a third party - it's free! It has the feature of blocking / allowing by extension and also allows a few other useful features.
Its called "Attachment Manager"
Like Charlie mentioned you can use this free app from the marketplace which has an allow/block list.
Marketplace link: https://www.zendesk.com/apps/support/attachment-manager/
Attachment Manager is a collection of apps that allows you to work with and manage ticket attachments. It combines Attachment Library, Attachment Restriction, Attachment Tagger (formerly Attachment Finder) and the Redact Attachments App. Attachment Manager combines the functionality of these apps into one sidebar experience. It allows an agent to open and close various apps using an accordion-style interface.
+1 for attachment control. You can do it in Zopim chat, just not the main tool. Not having this feature entails security risk or limitation of functionality if switched off.
If this is on roadmap should be possible to share an ETA?
I did install the plugin, however it does NOT BLOCK users from uploading restrict filetypes.
The ticket open as unusual, and the attachment is still visible from Support (although restricted, but this can also be circunvented by agents)
We need a option to REJECT or to BLOCK UPLOAD for certain filetypes
I'd like to +1 this request.
We use Zendesk for our DMCA/Abuse tickets, and some users will submit attachments with very graphic content.
We need our customers to attach files, but the issue we are seeing is the thumbnail that appears in the ticket feed. If we get a jpg our staff can be exposed to some unpleasant sights.
We've like to be able to prevent previews of these thumbnails.
I second what @... said. This app does not block users from uploading unwanted attachments, it just gives the agent the ability to manage them. This is totally useless from our perspective. The whole point is to prevent the user from uploading unwanted file types. If they can upload them, they think we are able to see them. For example, EML files. We can't readily open those and read the email that someone thinks they sent us. We want the user to know at the moment they attach it that we do not accept that particular file type. Same goes for security risk file types, like zip and exe.
So, 2 years have passed since this very important issue was raised... any improvements on this end?
How about implementing DMARC tools for even more safety on incoming emails?
Hello, I have also been contacted by the security team to restrict the upload of files following a message from a bug bounty hunter about this breach.
Any solution proposed by Zendesk to restrict the upload of certain type of file ?
We have same problem, the restriction on attachments added by End Users is available on Chat. But when a Customer get into Help Center -> My Activities portal he can upload any type of attachments. It is risky as user can upload there anything and our security contacted us as they found it as a bug.
Any solution that is going to be implemented on Help Center for this bug?
This has also been brought to our attention. We have the redact app however most of our Agents do not have delete permissions so it is useless to them.
We need the ability to prevent the attachments from even making it to Zendesk. It is a security concern with a level 1 priority.
I just wanted to thank you for taking the time to share your feedback with us! At this time, this isn’t something we are able to fit into our roadmap. We are focusing our resources on composer stability and a few other highly requested features.
Regarding our composer stability efforts, we are working towards migrating all composers to use the same technology so that any bugs reported can be easier and faster for us to fix and manage.
While we cannot look into this within the next 6-12 months, we have added your feedback to our backlog for future review.
We have also highlighted this to Zendesk as a security issue after having it highlighted by our internal bug bounty program. Malicious actors are able to upload attachments via a support ticket. Our agents are at risk of receiving them, but the file is also able to be served to anybody by grabbing the file from Zendesk's CDN and hotlinking to it. Please see reproduction steps from our report:
2)Navigate to Submit a request -->Enter details & in file upload section as an attacker I'm able to upload execution files such as .php ,.aspx files
3)Taking it to further I deleted these files when checked these files are still accessible and stored at backend.
4)This leads to help centre can be used as Temporary drive.
Now I for one do not want my company's subdomain being used as a filestore for serving malicious files and I'm confident that no other customers do either. This issue needs to be brought back on to the roadmap asap as a security issue.
At the very least, incoming attachments should be scanned by Zendesk for exploits and removed. The respective support ticket can be informed of this action by Zendesk.
Hi Gareth, thanks for this feedback – I see the ticket you're referring to, and that has been escalated to our security team to have a look.
We do understand the frustration and concerns of this security risk. This particular file type restriction problem is something we are very interested in addressing in the future.
However, I do want to point out that Zendesk currently scans for email ticket attachments. This may not solve this problem fully, but wanted to let you know protection we do have.
In the meantime, we are currently in development of a Malware Scanning tool that will scan file attachments across an area of platforms for the first release in Q1 2022.
More details to come.
Thank you all for taking the time to post your feedback and concerns.
Brief Update on the Malware Scanning feature. We are set to release June 2022 in Support product. There will be a help center announcement for release dates and further details.
Hello! Any updates on this enabling security features for Zendesk attachments? Based on this thread, this was set to be completed by June 2022.
The malware scanner is a great addition but is not the answer. Orgs should be able to dictate which file types they will allow to be uploaded to their consoles. Many if not most other ticketing solutions provide this granular level of control and shows a shortsightedness and lack of concern for security and risk avoidance
How's the Malicious file scanner working for Zendesk?
I ask this because 2K games were hacked yesterday, and a malicious actor was able to upload a trojan games launcher to Zendesk's CDN and serve a download link to numerous customers.
This is pretty much what I was warning last year.
Now, granted, the breach into Zendesk was the fault of 2K games, but if a bad actor could upload a malicious attachment, it doesn't give me much confidence that customer uploads are being scanned either. It would be good to have some sort of comment on this, as it's only a matter of time before our security team come knocking on my door and asking uncomfortable questions.
Our malware scanning detects malicious files and prevents them from being accessed by unsuspecting users. However in the case you mention, these events appear to have used legitimate, but compromised, credentials on the customers Zendesk platform. A Zendesk admin is able to override our malware detection, which is why it’s so important to protect your account with other defense mechanisms (multi-factor authentication, strong passwords, and minimizing the number of administrators in your account). An outside bad actor should not be able to upload malware to your system and distribute it, because our malware scanning should block access to the file. We’d be happy to follow up in another channel about your specific needs, and are always happy to speak to your security team as well.
We've recently seen an influx of malicious attachments that have been able to bypass both Gmail and Zendesk file scanners.
Although virus scanners do help, the best way to prevent these is to have the ability to control what file types are allowed. Would Zendesk consider implementing this critical security feature?
I've recently built an app that extends the Zendesk's triggers/automations and removes the attachments from tickets automatically. It was initially built to help with redaction tasks when a ticket is solved, but I can easily configure it to remove certain attachments from new tickets or updates based inclusion or exclusion criteria.
It's also listed on the app's marketplace:. Check it out and register here: https://www.zendesk.com/marketplace/apps/support/867529/auto-remove-attachments/
Please sign in to leave a comment.