[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More


Unconventional Hacking – Ticket Trick

Published on
555 Points
1 Endorsement
Last Modified:
A new hacking trick has emerged leveraging your own helpdesk or support ticketing tools as an easy way to distribute malware.

Team communication and organization tools are rapidly gaining popularity in the workplace. Applications like Yammer and Slack act as private chat rooms for employees to discuss ongoing projects or communicate potentially sensitive information. These tools are usually design with ease of use in mind. Employees often gain access to these tools, and their company’s private discussions, simply by registering using their company email address. Once they register, the communication tools send an email to their company address, asking them to click a link to verify the account. That’s it. No other verification other than clicking a link in an email.

You might think that requiring an @[company] email address to register for internal groups is strong enough security. Surely no one outside the company would have access to an account without a great deal of social engineering or old-fashioned hacking, right? Unfortunately, as discovered and disclosed by researcher Inti De Ceukelaire, there are sometimes unconventional methods to bypass this security check. De Ceukelaire calls his method Ticket Trick.

Ticket Trick earns its name from the use of helpdesk and support “ticketing” tools to obtain access to a company’s private communication rooms. As an example, gitlab.com allows individuals to create a bug ticket by emailing a special @gitlab.com email address for a project. Emails sent to this address are automatically displayed to everyone with access to that GitLab project under the “issues” section for the project. In essence, that means anyone that creates a Gitlab project, has read access to a @gitlab.com email address.

GitLab happens to also have their own private Slack channel which, until De Ceukelaire’s research, anyone with an @gitlab.com email address could automatically access after clicking a verification link sent to their email address. De Ceukelaire discovered that he could register for GitLab’s private Slack channel using the ticket-creation email address for his GitLab project. Slack then sent a verification mail to the ticket-creation address which showed up under the project’s issue tracker. This allowed him to click the verification link, opening unrestricted access to GitLab’s private Slack communications.

De Ceukelaire went on to discover similar vulnerabilities in tools like Yammer, Facebook Workplace, Kayako, and Zendesk. During his research, he found different and unique ways to obtain access to an @[company] address for use with the chat tools, mostly involving support contact tools. In the end, he recommends a few methods for ensuring your company is safe from Ticket Trick.

First, require email validation before users can access support tickets created by email. As stated by De Ceukelaire, the vulnerability exists when you can create support tickets through email and if users can access support tickets with an unverified email address.

Second, consider using a unique subdomain name when you allow ticket creation by email. For example, @reply.company.com or @support.company.com. If you restrict access to your communication tools to only the parent domain (@company.com), emails sent to subdomains will not allow automatic access to your private discussion groups.

And finally, if you are a vendor of business communication software, you should include a random token when generating the source address for verification emails, such as notification+[random_text]@company.com. This prevents attackers from easily guessing the source address and using it to register a support account with their targeted company.


By clicking you agree to the Terms of Use and Privacy Policy.

Featured Post

Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

Join & Write a Comment

Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month