Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Some workplaces require employees to sign up with their @company e-mail address. This guy figured out how to use service emails in order to login to internal only Slack chats!

For instance,GitLab offers a feature to create issues by e-mail by sending them to a unique Gitlab email. Buy using this email, the user was able to join the internal slack channel of Gitlab!

Another common place that this was found was with Support Desk features. By manipulating how emails were being sent across different platforms for support, magic links were clickable in order to sign up for the slack room.

By abusing the above flaw, all emails being sent to support@ can be read, giving us the ability to use password reset links for things like twitter and so on for other companies. This is because software, like Zendesk, create tickets automatically for a given email!

Lessons learned (from the article)... Once inside, most company’s security is significantly weaker. Internal impact assessments showed employees pasted passwords, company secrets and customer information in channels everyone in the team had access to...

Lessons learned (from the article)... We need to keep looking for security issues in all possible places. This vulnerability existed for years in hundreds of websites screened by security professionals, but as far as I know, nobody found it... To me, this is really hard to find because it took several pieces of software being abused, at the same time, in order to find this!

Overall, amazing article (this took me a while to understand). But, this is up in the clouds as one of my favorite articles ever! :)