Researchers Reported Critical SQLi and Access Flaws in Zendesk Analytics Service

Cybersecurity researchers have disclosed details of now-patched
flaws in Zendesk Explore that could have been exploited by an
attacker to gain unauthorized access to information from customer
accounts that have the feature turned on.

“Before it was patched, the flaw would have allowed threat
actors to access conversations, email addresses, tickets, comments,
and other information from Zendesk accounts with Explore enabled,”
Varonis said^[1]
in a report shared with The Hacker News.

The cybersecurity firm said there was no evidence to suggest
that the issues were actively exploited in real-world attacks. No
action is required on the part of the customers.

Zendesk Explore is a reporting and analytics solution^[2] that allows
organizations to “view and analyze key information about your
customers, and your support resources.”

According to the security software company, exploitation of the
shortcoming first requires an attacker to register for the ticketing service^[3]
of its victim’s Zendesk account as a new external user, a feature
that’s likely enabled by default to allow end-users to submit
support tickets.

The vulnerability relates to an SQL injection in its GraphQL API
that could be abused to exfiltrate all information stored in the
database as an admin user, including email addresses, tickets, and
conversations with live agents.

A second flaw concerns a logic access issue associated with a
query execution API, which was configured to run the queries
without checking if the “user” making the call had adequate
permission to do so.

“This meant that a newly created end-user could invoke this API,
change the query, and steal data from any table in the target
Zendesk account’s RDS, no SQLi required,”

Varonis said the issues were disclosed to Zendesk on August 30,
following which the weaknesses were rectified by the company on
September 8, 2022.