
How I hacked hundreds of companies through their helpdesk - TiPi
https://medium.com/@intideceukelaire/how-i-hacked-hundreds-of-companies-through-their-helpdesk-b7680ddc2d4c
======
ScottEvtuch
I'm kind of blown away that some of these larger companies aren't using SAML
to do their Slack authentication. I guess when you're provided with a super
simple turn-key solution to getting employees on the system (corporate email
verification) then you're probably inclined to use it. I wonder how diligent
these companies are about cleaning up old employee Slack accounts, as it's not
like Slack re-verifies periodically that I'm aware of.

~~~
djsumdog
I was at a company that used ADFS with Slack. The other day I was trying to
get to another slack group and selected the wrong link in my history. It
logged me into my old company account and rooms. Apparently the AD team
doesn't push disabled accounts to service providers. (I left four months ago).

------
jdmulloy
Does this affect Hipchat?

------
whipoodle
That's a good one!

