Details
-
Suggestion
-
Resolution: Unresolved
-
13
-
1
-
Description
NOTE: This suggestion is for JIRA Service Desk Cloud. Using JIRA Service Desk Server? See the corresponding suggestion.
Problem Definition
In certain environments, agents have access to the inbox of the mail account that Service Desk uses for the mail channel. In this scenario, it is possible for the agent to manipulate customer satisfaction feedback ratings in the event that the customer replies to Closed\Resolved notification containing the satisfaction survey. If the reply includes the quoted body of the survey, the agent can follow the link and change the star rating.
Suggested Solution
Expire the feedback token after initial customer survey completion. Alternatively, disallow agent access to satisfaction feedback survey pages.
Workaround
Use the Jira Service Management REST API to delete the token property
curl --request DELETE \ --url 'https://your-domain.atlassian.com/rest/api/3/issue/{issueIdOrKey}/properties/feedback.token.key' \ --user 'email@example.com:<api_token>'
Known issues related to this scenario
Sometimes Atlassian customers have some spam filtering app reading their CSAT / Feedback URLs like Mimecast, for example.
Since the satisfaction token never expires, every time this filtering app accesses the feedback URL a new CSAT score is added to the ticket in Jira.
Attachments
Issue Links
- is related to
-
JSDCLOUD-13872 Issue with customer satisfaction survey link
- Gathering Interest
-
JSDSERVER-4056 Expire Satisfaction Feedback Token
- Gathering Interest
- relates to
-
JSDCLOUD-9466 cSAT Satisfaction: Allow a confirmation screen to be configured when providing a cSAT/satisfaction rating
- Gathering Interest