A post by Ophion Security that looks at customer support portals built off Zendesk that have poor configuration such as GitHub. Zendesk supports “placeholders” for tickets, mainly for support agents and automated responses to use for autofilling information, such as the ticket ID, someone’s name, etc. Because this is of course enticing as an attack surface, Zendesk has two separate APIs for ticket handling. The requests API is the less privileged one, and is what customer support portals should use, while the tickets API is an admin API and can use placeholders. It turns out that many of the support portals they looked at that were built off Zendesk incorrectly used the tickets API. This can allow untrusted users access to placeholders, which in some cases can allow exfiltrating private information.

Case study: GitHub GitHub was one such vendor that had this misconfiguration. As a bot was responsible for managing the ticket on Zendesk and essentially proxies the ticket, one attack that’s possible is exfil’ing the bot’s user info. Perhaps more impactful is the ability to CC other users onto the ticket and get access to their respective user objects, which can allow an attacker to dump their email, name, roles, and other fields.