Deskpro accounts were vulnerable to hackers, Checkmarx reveals
The successful exploitation of the discovered XSS vulnerability could have allowed attackers to hijack the sessions of admins and take over the accounts of helpdesk agents
Israeli cybersecurity company Checkmarx found security vulnerabilities in Deskpro, a popular help desk software solution that helps thousands of organizations manage their communications for millions of customers around the globe via email, live chat, voice, social media, and more.
The Checkmarx Security Research Team, which continuously investigates potentially vulnerable websites and applications, uncovered the breach back in October of last year. DeskPro fixed the issues within a week but requested a 90-day wait for public disclosure.
According to Checkmarx, the successful exploitation of the discovered XSS vulnerability could have allowed attackers to hijack the sessions of admins and take over the accounts of helpdesk agents. "This would give the attackers the same privileges as admins and agents in terms of what they can execute, or the information they are exposed to. In certain cases, attackers would have been able to reset the helpdesk, wiping all system data," Checkmarx explained.
Given the shift to remote work and the need for software that enables virtual collaboration, Checkmarx's decided to audit the security of Deskpro in accordance with the company’s Responsible Disclosure/Bug Bounty Program.
"After discovering and validating the vulnerability, we notified Deskpro of our findings and worked with them throughout the remediation process until they informed us everything was appropriately patched. Deskpro’s responsiveness and professionalism throughout the process is worth noting and quite admirable," Checkmarx added in their report. "Despite being very old and well-documented, XSS vulnerabilities continue to be one of the most overlooked and serious issues. Application security testing solutions are key for detecting XSS vulnerabilities and are a critical component in enabling developers to build, deploy, and maintain secure software."