The way some companies have set up support systems can expose their internal communications to malicious actors, warned a researcher who used a newly discovered security hole to hack dozens of organizations.
Belgium-based bug bounty hunter Inti De Ceukelaire initially found a way to join GitLab’s Slack workspace. He later determined that the flaw he exploited, which he has dubbed “Ticket Trick,” could affect hundreds of companies.
Team collaboration tools such as Slack, Yammer and Facebook Workplace require users to sign up with an email address hosted on their company’s domain. The registered email address receives a verification link that must be accessed to join the firm’s channels.
The problem, according to De Ceukelaire, is that the helpdesk systems of some companies allow support tickets to be created via email and the content of support tickets can be accessed by users with an unverified email address. The same goes for issue tracking systems that provide a unique email address for submitting information for a ticket.
For example, in the case of GitLab, it provided a unique gitlab.com email address to each user for creating issues via email. Signing up for GitLab’s Slack workspace with this email address resulted in the verification link being sent to this address. Since the information sent to the @gitlab.com address was considered an issue, it was accessible to the user whose project had been assigned the address.
With the verification link sent to his GitLab project’s list of issues, De Ceukelaire managed to join the company’s internal Slack channels.
The vulnerability is widespread because many companies allow users to sign up to their online support portals with any email address without asking them to verify it, and provide users access to any support ticket created by that address via the help center on their website.
An attacker can exploit this flaw using support(at)company.com email addresses. Signing up for a company’s Slack account using their “[email protected]” email address results in the verification link being sent to that address, and since the content of support tickets is available in the help center, the attacker can access the targeted company’s internal communications.
It’s worth noting that Slack provides a “find your workspace” feature that allows users to find their company’s workspaces simply by entering their business email address.
“Once inside, most company’s security is significantly weaker. Internal impact assessments showed employees pasted passwords, company secrets and customer information in channels everyone in the team had access to,” the researcher explained.
Another problem discovered by the researcher is that some companies use their “[email protected]” email address to sign up for social media accounts (e.g Twitter) and other third-party services. This allows hackers to initiate password reset procedures and the reset link will be displayed on the targeted company’s support pages.
De Ceukelaire determined that this and similar vulnerabilities affected GitLab, Vimeo, Kayako, Zendesk, Yammer, Slack and others. He informed some of the impacted vendors via their responsible disclosure programs and several of them rewarded the expert for his findings. In the case of Slack, while this was not a vulnerability in its systems, the company did make some changes to prevent abuse.
The researcher decided to make his findings public so that potentially affected companies can assess the risks and take action to prevent attacks.
“We need to keep looking for security issues in all possible places. This vulnerability existed for years in hundreds of websites screened by security professionals, but as far as I know, nobody found it,” said De Ceukelaire.