Smart Phishing using Ticket Feature of a Customer Support Software
I found a security vulnerability in the Freshdesk that enables an attacker to send ticket requests via spoofing the sender. This vulnerability can be used in real-life scenarios to create smarter phishing attempts.
The ability to easily spoof an e-mail sender is always a great risk for organizations. Attackers hiding behind a trusted sender typically try to steal credentials from the victims or to hijack victim’ computers with ransomware or other malware. In order to protect against such attacks, companies need security solutions to determine whether the sender of the e-mail is real or not. In inbound email filtering solutions used by companies, they can take security measures to apply the company’s email authentication service which uses standards like SPF, DKIM, and DMARC and quarantine emails that have failed to meet those standards. With the effective implementation of such security measures, attackers develop interesting scenarios with new approaches.
3rd Party Software- Help Desk
Freshdesk is one of many Help Desk Softwares available for organizations to manage Customer Support Services.
Freshdesk, the online customer engagement solution from Freshworks, lets you streamline your company’s customer support using the customer service software and helps you to efficiently manage your customers as you scale.
Freshdesk accounts can be accessed by default under companyname.freshdesk.com or support.company.com. When we investigate the source code of the login page, the “Login to the support portal” or “Help Desk Software by Freshdesk” information, which is the default Freshdesk title, can be descriptive information for these pages and in this way, the attackers can use to recon phase with google dork as below.
site:*.freshdesk.com intext:“Login to the support portal” or “Help Desk Software by Freshdesk” -site:support.freshdesk.com
Due to an authorization vulnerability caused by Freshdesk, an attacker can perform social engineering attacks by impersonating trusted sources.
Support pages are not fully open to the outside. log in to the Freshdesk Support portal is as follows:
- Social Accounts(google,twitter,facebook)
- Signup Feature
*one of these methods is used.
Figure-1 : Google Social Login
Vulnerability Details :
After logging in from our social account as in Figure-1, get access to the ticket submission page is provided. It can be seen on this page that the “Sender email address field” can be changed by the end-user. We planned to do tests in two different ways.
First, we will use an email address that does not exist in the company.
Then, we will use a company mailing address. In this context, it is important to prepare before by identifying emails of employees through social networks.
- Business relationship information includes the associates of a target and maybe discovered via social media sites such as LinkedIn or public press releases announcing new partnerships between organizations or people (such as key hire announcements in industry articles). This information may be used by an adversary to shape social engineering attempts (exploiting who a target expects to hear from) or to plan for technical actions such as exploiting network trust relationship. ( Mitre source: https://attack.mitre.org/techniques/T1272/ )
Let’s try to create a new ticket using the mail of [email protected]. When we click the send button, we are redirected to the login screen. At first glance, it is seen that the sender e-mail due to authorization is not the same as the e-mail address we have logged in, and it is redirected to the login screen. Let’s send a ticket again with an email address belonging to the company. Likewise, we were redirected to the login screen.
Figure-2 : Submit a ticket - https://support.company.com/support/tickets/new
When we examined the ticket in the admin panel, the attacker was able to create a more realistic profile with the person’s surname and avatar to imitate “the sender mail address”. By imitating this information, the ticket format seems to be quite misleading, and this can be transformed by attackers into a social engineering vector.
Figure-3 : Ticket page (our FreshDesk Admin page) - [email protected]
Figure-4 : Sender’s Contact Details (our FreshDesk Admin page) - [email protected]
Figure-5 : Ticket page (our FreshDesk Admin page) - Full name, Picture, Malicious links, Malicious files.
When we consider what we can do from an offensive perspective,
- This vulnerability’s impact can be increased by using the following findings with low impact.
- An external link can be added to the message using the text editor. In this context, a malicious website link can be added.
- Since the image HTML tag can be used in the editor, Net-NTLM can be hijacked for the machine of support employees who are windows users.
- Since the form field contains file sending feature and there is no restriction about the file extension, it can also send files with exe extension. The attacker can send malware in the attachment.
The suggestion offered to the Freshdesk: The sender’s e-mail address should not be changed by the end-user.
The suggestion offered to the organizations using Freshdesk: close the social login or/and to check the registered users with the confirmation mechanism.
If you close social login completely, a message like below will be displayed :
Sorry! You do not have enough permission to access this page. Please contact your Account administrator
- 14, April 2020 - Discover
- 14, April 2020 - Report to Freshdesk Security
- 14, April 2020 - Closed this vulnerability as ‘Invalid’
- 3, June 2020 - Public Disclosure
Special thanks to Barış Akkaya