Team communication and organization tools are rapidly gaining popularity in the workplace. Applications like Yammer and Slack act as private chat rooms for employees to discuss ongoing projects or communicate potentially sensitive information. These tools are usually design with ease of use in mind. Employees often gain access to these tools, and their company’s private discussions, simply by registering using their company email address. Once they register, the communication tools send an email to their company address, asking them to click a link to verify the account. That’s it. No other verification other than clicking a link in an email.
You might think that requiring an @[company] email address to register for internal groups is strong enough security. Surely no one outside the company would have access to an account without a great deal of social engineering or old-fashioned hacking, right? Unfortunately, as discovered and disclosed by researcher Inti De Ceukelaire, there are sometimes unconventional methods to bypass this security check. De Ceukelaire calls his method Ticket Trick.
Ticket Trick earns its name from the use of helpdesk and support “ticketing” tools to obtain access to a company’s private communication rooms. As an example, gitlab.com allows individuals to create a bug ticket by emailing a special @gitlab.com email address for a project. Emails sent to this address are automatically displayed to everyone with access to that GitLab project under the “issues” section for the project. In essence, that means anyone that creates a Gitlab project, has read access to a @gitlab.com email address.
GitLab happens to also have their own private Slack channel which, until De Ceukelaire’s research, anyone with an @gitlab.com email address could automatically access after clicking a verification link sent to their email address. De Ceukelaire discovered that he could register for GitLab’s private Slack channel using the ticket-creation email address for his GitLab project. Slack then sent a verification mail to the ticket-creation address which showed up under the project’s issue tracker. This allowed him to click the verification link, opening unrestricted access to GitLab’s private Slack communications.
De Ceukelaire went on to discover similar vulnerabilities in tools like Yammer, Facebook Workplace, Kayako, and Zendesk. During his research, he found different and unique ways to obtain access to an @[company] address for use with the chat tools, mostly involving support contact tools. In the end, he recommends a few methods for ensuring your company is safe from Ticket Trick.
First, require email validation before users can access support tickets created by email. As stated by De Ceukelaire, the vulnerability exists when you can create support tickets through email and if users can access support tickets with an unverified email address.
Second, consider using a unique subdomain name when you allow ticket creation by email. For example, @reply.company.com or @support.company.com. If you restrict access to your communication tools to only the parent domain (@company.com), emails sent to subdomains will not allow automatic access to your private discussion groups.
And finally, if you are a vendor of business communication software, you should include a random token when generating the source address for verification emails, such as notification+[random_text]@company.com. This prevents attackers from easily guessing the source address and using it to register a support account with their targeted company. –Marc Laliberte