Clever way, unearthed by Inti de Ceukelaire, to getting access to private communications channels (such as Slack) by leveraging the create-by-email feature of issue trackers/the helpdesk of a company.
First target of Init was Gitlab’s Slack channel:
Anyone with a valid
@gitlab.come-mail address can join their Slack team. At the same time, GitLab offers a feature to create issues by e-mail by sending them to a unique
I tried to join their Slack team using this issue creating email address, just to see what would happen. I then refreshed my issue list and saw the verification e-mails added as an issue to my project:
The freshly added issue contained the magic link needed to join their internal Slack team. I clicked the link to see if it’d actually work — and it did. I was greeted by the list of channels I was able to join.
From there one it’s only a minor thing to dig through the chat history and discover links/usernames/passwords/etc.
The fix is to provide your app users with e-mail addresses using a domain different from your main one (*). Additionally verify all e-mail addresses used to sign up.
(*) The same goes for user hosted content, hence by Github switched from
username.github.io domains a few years ago.