Over the years, both big and small organizations have started relying on communication tools such as Slack for internal communication and collaboration. But a serious vulnerability has just been unearthed in third-party helpdesk services that could let anyone with the know-how gain access to confidential internal communications.
According to Inti De Ceukelaire, who discovered the vulnerability, anyone can gain access to internal communication even when the administrator or the caretaker has not explicitly given permission to them.
Slack, Easy to Hack
This becomes all the more critical in case of helpdesks and issue trackers where the support system relies on similar domain IDs. De Ceukelaire exploited this very method to get through.
He created an account on GitHub and raised a ticket over email. Following that, he got access to the email address. This was later on used to register on Slack that was being used by the company for internal communications.
Are Automated Helpdesks to Be Blamed?
Helpdesk software or applications allow users to get a quick remedy to their issues by simply raising tickets or by reporting issues.
The real problem lies in the verification system, which practically means that anyone can use any email address to gain access to the information linked to that account.
De Ceukelaire wrote on his blog, “This vulnerability exists if support tickets can be created through email and if support tickets are accessible by users with an unverified email address. It also exists in public issue trackers or responders providing a unique @company.com email address to submit information directly to a ticket, forum post, private message or user account.”
It’s a simple fix, really. Companies can simply change their support email addresses so that anyone cannot get access to email addresses that can be used to sign up for services such as Slack or Yammer.
If you are still using a support email address, consider changing it.