The way some companies have set up support systems can expose their internal communications to malicious actors, warned a researcher who used a newly discovered security hole to hack dozens of organizations.
Belgium-based bug bounty hunter Inti De Ceukelaire initially found a way to join GitLab’s Slack workspace. He later determined that the flaw he exploited, which he has dubbed “Ticket Trick,” could affect hundreds of companies.
Team collaboration tools such as Slack, Yammer and Facebook Workplace require users to sign up with an email address hosted on their company’s domain. The registered email address receives a verification link that must be accessed to join the firm’s channels.