Hundreds of companies have been hacking for years via their helpdesk. That is because of a logical error that was never discovered before. By misusing the leak, hackers can provide access to the help desk, internal communications and, in some cases, the social media accounts of a company.
The error was discovered by the Belgian ethical hacker Inti de Ceukelaire. It’s not a technical bug but rather what the Ceukelaire describes as “a logical error in the helpdesk procedure.” This was done through the business chat program Slack. The app’s code is nothing but an error in the helpdesk of other companies, knowing to access the Slack channels of that company. Slack himself has meanwhile modified his verification process, but also Yammer and other tools can be exploited so abusively.
Employees of companies using Slack and Yammer can join their company address. The people in question should not be invited, an email address with address is sufficient.
Virtual business address via help desk
The Ceukelaire, however, discovered a way to create a virtual mail address for such a company through their helpdesk portal. He could do this on the Gitlab developer platform.
Whoever makes a ticket to Gitlab (but also hundreds of other companies) as a user at the help desk, receives a unique virtual email address for the user and helpdesk conversation in the user portal. But that virtual address is one with a extension. “So once you get assigned such a virtual address via a created ticket, you can also register yourself on their internal Slack channel and follow the internal communication.” That trick could then be repeated with other services, including Yammer.
The story becomes even more interesting if you know that many web services do not check that the email address with which someone is registering is also effective. For example, De Ceukelaire could invite himself to Vimeo’s slack channel by signing in with Slack’s support address.
Here he registered a user account at Vimeo video service. Vimeo did not check if the Ceukelaire really had this address and gave him such a user account.
Thereupon, he again appealed to the Slack application to access the Slack channels of Vimeo employees. For this he gave firstname.lastname@example.org.
Think back to the helpdesks that are created in the user account: Slack sends an access link for the Vimeo chat channels. However, as this is the helpdesk address, Vimeo automatically transfers that mail to a helpdesk ticket associated with the mail sender. That account had registered De Ceukelaire shortly so that he could see the ticket.
The Ceukelaire has in the meantime contacted various companies and they have adapted their procedures. But he emphasizes that there are still hundreds of similar systems, either the helpdesk software or collaboration tools that allow such circumvention techniques unconsciously.
“The big problem is that you can create an account with many email services without a lot of services,” he says to Data News. If you then register the mail address with which they send their verification mail, you can enter. ”
The leak itself was discovered a few months ago. Meanwhile, he himself has warned more than one hundred companies where he could detect the error. “I’ve started with those who already work with ethical hackers, and Slack has adapted his procedures in the meantime, but you can not find them all once and then contact.”
Not yet resolved everywhere
The Ceukelaire has therefore consciously waited for a number of companies to correct the error. But now, I want to get out with the problem so that other companies can check if their system also contains such an error.
That sometimes gave him varying responses. “Some companies have taken care of it and even rewarded me because I’m wrong with them, but I’ve repeatedly reported it to Yammer without comment that they would handle it.” Others like Zendesk or Kayako have taken measures in the meantime. The Ceukelaire does not realize that it is not a fault of these tools, but of the companies they use. Even though they can change their procedure, they reduce the risk of burglary by those users.
Security is weakened
In an extensive blog post, De Ceukelaire warns that once you’re a bit in the internal communication of a company, security is often a lot weaker. “Often, password reset is done via such a support or noreply address, so I even got access to the Twitter and Facebook accounts of some big companies.”
Finally, the problem can be solved relatively easily. On the one hand with verification mail. But also because of such addresses can not be made from, but from simply . “Once you make such a change, you can no longer request access through the helpdesk,” decides De Ceukelaire.