$50,000 Bounty: Researcher Reveals Critical Zendesk Email Spoofing Flaw (CVE-2024-49193)
In a detailed analysis by security researcher Daniel, a serious vulnerability in Zendesk’s email management system, tracked as CVE-2024-49193, has been revealed. This flaw exposes companies using Zendesk to a dangerous email spoofing exploit that allows unauthorized access to sensitive support ticket histories. Despite initial dismissals of the report by Zendesk, the gravity of the issue has become clear, forcing companies to take immediate action.
As outlined by Daniel, the vulnerability is rooted in Zendesk’s handling of email collaborations. Zendesk automatically generates a reply-to address, such as support+id{id}@company.com, for every ticket. This system is meant to help companies track email threads related to support requests. However, a significant oversight in Zendesk’s email spoofing protections allows attackers to exploit this system.
Daniel explains the simplicity of the attack: “If an attacker knew the support email address and the ticket ID (which are usually easy to guess since ticket IDs are incremental), they could use email spoofing to impersonate the original sender.” By sending a forged email to Zendesk, the attacker can CC their own email and effectively gain full access to the entire ticket history, which may contain sensitive information.
This flaw was discovered earlier this year, and despite Daniel’s quick reporting to Zendesk through their bug bounty program, the response was less than ideal. The bug was dismissed as “out of scope” because it relied on email spoofing, which Zendesk considered outside the scope of its HackerOne program. However, Daniel notes, “It was unbelievable” that such a significant security risk was dismissed so casually.
Image: Daniel
One of the most concerning aspects of CVE-2024-49193 is the widespread potential for abuse. Daniel’s analysis shows that the vulnerability allows attackers to brute-force or estimate ticket IDs, making it possible to target numerous Zendesk instances. Since ticket IDs are often incremental, once an attacker estimates a range of ticket numbers, they can begin exploiting the system.
The attacker’s steps are simple but effective. They send spoofed emails from legitimate-looking addresses, targeting tickets within the estimated range. By manipulating Zendesk’s email collaboration feature, they can add themselves to any ticket and view its complete history. “This meant an attacker could effectively join any ongoing support conversation, and read sensitive information—all because Zendesk didn’t have proper safeguards against email spoofing,” Daniel highlights.
Once Daniel replicated the exploit, he began individually reporting the vulnerability to companies using Zendesk. Some companies reacted swiftly, disabling Zendesk’s email collaboration feature to close the security hole. Over the course of his reporting, Daniel earned over $50,000 in bounties from affected companies. However, the reaction from Zendesk itself was slower. It wasn’t until several companies applied pressure that Zendesk began taking the vulnerability seriously.
Daniel’s work has forced companies and Zendesk to reevaluate their security measures. His analysis uncovered how simple mistakes, like insufficient spoofing protections, can lead to widespread security risks. Zendesk has since patched the issue, but only after facing significant backlash from the security community.
