Dear Freshworks App Developers,
We hope this update finds you in health and safety.
We relish every moment of working along with app developers like you and conduct our practices in ways you will appreciate. Our team is simultaneously vigilant of security aspects that are of utmost priority to us as a platform and the users of your apps.
Our team has recently become aware of an issue that affects the security posture of our platform. As we take the necessary steps to address our security posture, this may require your attention for apps that are currently live in a customer’s instance. The specific risks we are trying to cover involve an agent gaining unauthorized access as an administrator within a Freshworks product.
As the very first step, until further notice, we have decided to temporarily suspend access to a few admin-specific API endpoints from the Request Method (regardless of app type) effective immediately.
To further elaborate the restriction, these API endpoints will only be restricted under the following conditions:
- The app uses the Request Method to make API calls to the endpoints outlined.
- The app uses an associated HTTP method for the affected endpoints, as captured in the list.
- API requests are made via the Request Method from the app frontend.
- API calls are made via the Request Method from the app backend with the static IP parameter set to true.
Based on our analysis, we expect very few apps are likely to rely on these endpoints. In case you find your app consuming any of these APIs via the Request Method, please get in touch with us at email@example.com. We will watch out for your requests to get you the necessary support as soon as possible.
In case your team identifies itself as a Freshworks developer partner, please also consider seeking assistance from Program Managers from Freshworks closest to your team.
You can read further on this topic through a Wiki article we recently added and comment to call out anything we may have missed addressing.
We would rarely want to take such drastic measures without notice, but unfortunately, our team felt this situation calls for it, in order to protect the interests of both you as a trusted developer and the customers that trust your work on our platform. We apologize for any inconvenience this may have caused and thank you for your support in making our platform more secure.