• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Unconventional Hacking – Ticket Trick

September 22, 2017 By Marc Laliberte

Team communication and organization tools are rapidly gaining popularity in the workplace. Applications like Yammer and Slack act as private chat rooms for employees to discuss ongoing projects or communicate potentially sensitive information. These tools are usually design with ease of use in mind. Employees often gain access to these tools, and their company’s private discussions, simply by registering using their company email address. Once they register, the communication tools send an email to their company address, asking them to click a link to verify the account. That’s it. No other verification other than clicking a link in an email.

You might think that requiring an @[company] email address to register for internal groups is strong enough security. Surely no one outside the company would have access to an account without a great deal of social engineering or old-fashioned hacking, right? Unfortunately, as discovered and disclosed by researcher Inti De Ceukelaire, there are sometimes unconventional methods to bypass this security check. De Ceukelaire calls his method Ticket Trick.

Ticket Trick earns its name from the use of helpdesk and support “ticketing” tools to obtain access to a company’s private communication rooms. As an example, gitlab.com allows individuals to create a bug ticket by emailing a special @gitlab.com email address for a project. Emails sent to this address are automatically displayed to everyone with access to that GitLab project under the “issues” section for the project. In essence, that means anyone that creates a Gitlab project, has read access to a @gitlab.com email address.

GitLab happens to also have their own private Slack channel which, until De Ceukelaire’s research, anyone with an @gitlab.com email address could automatically access after clicking a verification link sent to their email address. De Ceukelaire discovered that he could register for GitLab’s private Slack channel using the ticket-creation email address for his GitLab project. Slack then sent a verification mail to the ticket-creation address which showed up under the project’s issue tracker. This allowed him to click the verification link, opening unrestricted access to GitLab’s private Slack communications.

De Ceukelaire went on to discover similar vulnerabilities in tools like Yammer, Facebook Workplace, Kayako, and Zendesk. During his research, he found different and unique ways to obtain access to an @[company] address for use with the chat tools, mostly involving support contact tools. In the end, he recommends a few methods for ensuring your company is safe from Ticket Trick.

First, require email validation before users can access support tickets created by email. As stated by De Ceukelaire, the vulnerability exists when you can create support tickets through email and if users can access support tickets with an unverified email address.

Second, consider using a unique subdomain name when you allow ticket creation by email. For example, @reply.company.com or @support.company.com. If you restrict access to your communication tools to only the parent domain (@company.com), emails sent to subdomains will not allow automatic access to your private discussion groups.

And finally, if you are a vendor of business communication software, you should include a random token when generating the source address for verification emails, such as notification+[random_text]@company.com. This prevents attackers from easily guessing the source address and using it to register a support account with their targeted company. –Marc Laliberte

Share This:

Related

Filed Under: Editorial Articles Tagged With: Hacking

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use