Researcher hacks into companies through their help desk

If your company uses an internal messaging system – anything from Slack, Yammer or Facebook Workplace – it may be vulnerable in just a couple of clicks.

This new exploit has to do with unverified emails and your help desk.

Undetected by most researchers

The researcher who discovered the exploit is calling it the “Ticket Trick.” Popular business communication tools require a company email address in order to sign up. A verification link to download or access these applications is usually sent to that company email.

The researcher first noticed he was able to join GitLab, an online open-source code repository, by using a support ticket email address. With it, he was able to access its internal Slack without a verified email, giving him access to private information.

When he reported the issue to GitLab, it immediately made its Slack invite-only, but that only solved the issue temporarily. As soon as it resets its settings, it’ll be susceptible.

Playing around with the loophole more, the researcher discovered that many support@company.com emails turned up in online support portals like Kayako, WHMCS or Zendesk. But many of these portals didn’t require email verification, which meant that anyone could sign up with an email address and read any support tickets generated by that address.

The exploit was widespread across multiple platforms and services, and though the researcher reported each instance he found, he fears there are many more. Internally, the companies weren’t safe, as the researcher saw users posting passwords and company secrets into channels believed to be secure.