Full Report
Help Scout is a shared inbox, help center and live chat software to manage customer communications. Among other things, emails can be sent to customers from external email addresses proxied through Help Scout. To add an email to a shared inbox, a verification code is sent to the email to ensure that you have control over it. Once this has been verified, emails can be sent through the email address. This is a two step process: the setting and verification. When retrieving the information on response, the authors noticed the field emailIsConfirmed. By setting this value in the JSON of the setting request, the email will be verified. This is commonly referred to as a mass assignment vulnerability but isn't super common. Since the email is going through Help Scout and it has verified the proxied email, the SPF and DKIM verification will pass. This allows for the spoofing of an arbitrary sender with domain verification on Help Scout. Wordpress, pypi, mailchip and digital ocean are big targets that use the platform. Overall, a good post that is straight to the point.
Analysis Summary
# Vulnerability: Help Scout Shared Inbox Mass Assignment
## CVE Details
- **CVE ID:** N/A (Requested/Pending)
- **CVSS Score:** Medium (Vendor/Researcher Assessment)
- **CWE:** CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes (Mass Assignment)
## Affected Systems
- **Products:** Help Scout (SaaS Platform)
- **Versions:** All versions prior to September 18, 2024.
- **Configurations:** Systems utilizing external email addresses proxied through Help Scout shared inboxes.
## Vulnerability Description
The Help Scout API endpoint responsible for updating shared inbox settings (`/api/v0/mailboxes/[MAILBOX-ID]`) was found to be vulnerable to mass assignment. When submitting a `PUT` request to update mailbox properties, the server failed to validate or restrict which JSON fields a user could modify.
Specifically, an attacker could manually include the fields `"email": "[email protected]"` and `"emailIsConfirmed": true` in the request body. Because the backend application blindly assigned these values to the database object, the identity verification process (which usually requires a verification code) was bypassed, allowing the attacker to claim ownership of any arbitrary email address.
## Exploitation
- **Status:** PoC available; Fixed by vendor.
- **Complexity:** Low
- **Attack Vector:** Network
- **Technical Pre-requisite:** An attacker needs a valid Help Scout account and the ID of a mailbox they control.
## Impact
- **Confidentiality:** Low (Does not directly grant access to existing emails of the spoofed domain).
- **Integrity:** High (Allows for highly convincing spear-phishing and email spoofing).
- **Availability:** None.
- **Summary:** Attackers can send emails that pass **SPF and DKIM** checks if the target domain (e.g., pypi.org, wordpress.org) has already authorized Help Scout in their DNS records. This leads to perfect spoofing of trusted entities.
## Remediation
### Patches
- **Vendor Fix:** Help Scout implemented a server-side fix on **September 18, 2024**. As this is a SaaS product, no user action is required for the platform itself.
### Workarounds
- No manual workarounds are necessary for Help Scout users following the vendor's patch.
## Detection
- **Indicators of Compromise:** Unexpected "New Conversation" logs in Help Scout audits or unusual outbound emails from shared inboxes.
- **Detection Methods:** Organizations can check if their domains are vulnerable to being abused via this flaw by auditing their DNS records for Help Scout authorization:
- Check for SPF records containing `include:helpscout.net`.
- Check for DKIM records using the `strong1._domainkey` selector pointing to Help Scout.
## References
- **Vendor Home:** [https://www.helpscout.com/](https://www.helpscout.com/)
- **Synacktiv Advisory:** [https://www.synacktiv.com/advisories/help-scout-mass-assignment-vulnerability-on-inbox-settings](https://www.synacktiv.com/advisories/help-scout-mass-assignment-vulnerability-on-inbox-settings)
- **Help Scout SPF Setup Docs:** [https://docs.helpscout.com/article/58-spf-records](https://docs.helpscout.com/article/58-spf-records)