Which high-profile organizations have been affected by this issue?

The Washington Post, NordVPN, Discord, and several other high-profile organizations have reported being affected.

Zendesk Vulnerability Enables Widespread Email Bombing Attacks

Q: What is the issue with Zendesk's customer service platform?

Zendesk has a vulnerability due to its default or permissive settings that allow anonymous ticket creation and unverified email addresses, which cybercriminals are exploiting for large-scale email bombing attacks.

Q: How do the email bombing attacks work through Zendesk?

Cybercriminals use automated scripts or bots to submit thousands of tickets, each using the victim's email address as the submitter. When the Zendesk instance is configured to send auto-responder notifications upon ticket creation, the victim receives a deluge of emails from the support addresses of various legitimate organizations.

Q: What do the abusive messages sent via Zendesk's platform contain?

The abusive messages can include any subject line chosen by the abusers, with some containing personal insults or warnings about supposed law enforcement investigations.

Q: Who reported the issue with Zendesk to the public?

Several prominent online security experts have reported receiving thousands of ticket creation notification messages through Zendesk in recent weeks.

Cybercriminals exploit Zendesk's lax authentication settings to flood email inboxes with menacing messages from hundreds of legitimate companies simultaneously.

Cybercriminals have been exploiting a widespread lack of authentication in the customer service platform Zendesk to flood targeted email inboxes with menacing messages that appear to come from hundreds of legitimate companies simultaneously. The attacks, known as "email bombs," are made possible by Zendesk's default or permissive settings that allow anonymous ticket creation and unverified email addresses. This vulnerability has been reported to affect numerous high-profile organizations, including The Washington Post, NordVPN, and Discord.

What Happened

In recent weeks, several prominent online security experts have reported receiving thousands of ticket creation notification messages through Zendesk in rapid succession. These messages bore the name of different Zendesk customers, such as CapCom, CompTIA, GMAC, and Tinder, and were sent from customer domain names rather than Zendesk itself. The abusive missives sent via Zendesk's platform can include any subject line chosen by the abusers, with some containing personal insults or warnings about supposed law enforcement investigations.

According to a report by KrebsOnSecurity, the automated messages that are sent out from this type of abuse all come from customer domain names — not from Zendesk. For example, replying to any of the junk customer support responses from The Washington Post's Zendesk installation shows the reply-to address is [email protected].

Background and Context

Zendesk is an automated help desk service designed to make it simple for people to contact companies for customer support issues. The platform allows customers to configure their instances to allow anyone to submit support requests, including anonymous users. This can be done for various business reasons, such as allowing prior verification or permitting tickets to be created due to workflow requirements.

However, this lax authentication configuration has been exploited by cybercriminals to orchestrate large-scale email bombing attacks. The attackers utilize automated scripts or bots to submit thousands of tickets, each using the victim's email address as the submitter. When the Zendesk instance is configured to send auto-responder notifications upon ticket creation, the victim receives a deluge of emails from the support addresses of various legitimate organizations.

Why It Matters to the Industry

The vulnerability in Zendesk's platform poses significant risks for adult-industry platforms and operators. With the rise of online streaming and webcam infrastructure, companies in this sector rely heavily on customer service platforms like Zendesk to manage support requests and maintain a positive user experience.

However, if left unaddressed, this vulnerability can lead to email flooding, disrupting customer support operations and potentially causing denial of service for legitimate users. Moreover, the lack of authentication on inbound emails is a fundamental security weakness that can be exploited to disrupt customer support workflows.

What Comes Next

Zendesk has acknowledged the issue and stated that they are actively investigating additional preventive measures. In the meantime, customers experiencing this type of activity are advised to follow Zendesk's general security best practices and configure an authenticated ticket creation workflow.

The company also recommends implementing rate limits to prevent a high volume of requests from being created at once. However, as reported by KrebsOnSecurity, these limits did not stop Zendesk customers from flooding their inbox with thousands of messages in just a few hours.

Key Facts

Cybercriminals are exploiting a widespread lack of authentication in the customer service platform Zendesk to flood targeted email inboxes with menacing messages.
The attacks, known as "email bombs," are made possible by Zendesk's default or permissive settings that allow anonymous ticket creation and unverified email addresses.
Several high-profile organizations have reported receiving thousands of ticket creation notification messages through Zendesk in rapid succession.
The abusive missives sent via Zendesk's platform can include any subject line chosen by the abusers, with some containing personal insults or warnings about supposed law enforcement investigations.
Zendesk has acknowledged the issue and stated that they are actively investigating additional preventive measures.