About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Ticket Tricking OpenSSL.org with Google Groups- 1892

Space RaccoonPosted 1 Month Ago
  • Ticket Tricking is a technique to get OTPs or verification emails sent to a public forum so that you can "prove" you have access to a domain when you really don't. Google Groups have this risk and are the focus of this post.
  • The author of the post found a tool for scraping Google Groups. Unfortunately, it was somewhat outdated and only looked for a single hard-coded group. So, they wrote a Vibe-Coded application to find Google Group URLs, filter them, and check for public read access. After scanning from 32K raw URLs, they were left with 150+ groups.
  • One of the vulnerable instances was OpenSSL.org Slack group. The author logged in to the group using the OTP leaked on the forum. The end result is that there are serious implications to this. Many applications (except Slack) have patched vulnerable-by-default mechanisms. However, GitHub email verification, auto-join SaaS tenants and many other things are still vulnerable. Good post!

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed