Ticket Trick: Hacking companies through their helpdesk

Clever way, unearthed by Inti de Ceukelaire, to getting access to private communications channels (such as Slack) by leveraging the create-by-email feature of issue trackers/the helpdesk of a company.

First target of Init was Gitlab’s Slack channel:

Anyone with a valid @gitlab.com e-mail address can join their Slack team. At the same time, GitLab offers a feature to create issues by e-mail by sending them to a unique @gitlab.com e-mail address.

I tried to join their Slack team using this issue creating email address, just to see what would happen. I then refreshed my issue list and saw the verification e-mails added as an issue to my project:

The freshly added issue contained the magic link needed to join their internal Slack team. I clicked the link to see if it’d actually workβ€Šβ€”β€Šand it did. I was greeted by the list of channels I was able to join.

From there one it’s only a minor thing to dig through the chat history and discover links/usernames/passwords/etc.

The fix is to provide your app users with e-mail addresses using a domain different from your main one (*). Additionally verify all e-mail addresses used to sign up.

How I hacked hundreds of companies through their helpdesk →

(*) The same goes for user hosted content, hence by Github switched from username.github.com to username.github.io domains a few years ago.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.