[xfitm3]

Slack is often misconfigured - mid-sized companies without a proper IAM team/engineer often enable auto-provisioning which sends an invite to @<whitelisted domain>. If you can identify a e-mail reflection vuln on the domain you can parlay that into a Slack invite, and while ChatOps might be the least of the concerns I fear this is reinforcing bad hygiene.

Additionally companies forced to be SOX compliant require separation of duties, which is often incompatible with slash commands that impact production or revenue generating infrastructure.

[icey]

For teams that are concerned about whether their Slack is configured correctly, Abbot can be put into a waitlist mode where an administrator on the Abbot team has to explicitly approve any access. No matter how Abbot is configured, all commands are still logged.

SOX compliance is a bit outside of our domain of influence; our goal is to give people the most powerful tools we can, in a way that they can run it in their environment without having to reinvent the wheel.

[icey]

> If you can identify a e-mail reflection vuln on the domain you can parlay that into a Slack invite

On reread, I realize that I'm not sure I understand what sort of attack you're talking about. While I think we've done a good job of making Abbot a safe entity, could you describe how this works? It's possible there's an attack vector we haven't considered. Thanks for sharing!

[xfitm3]

You need to know the Slack workspace URL, looks like the previous method I used to find this for arbitrary domains has been fixed. Workspace URLs aren't secret, though, and can often be guessed. Let's assume finding this for your target isn't an issue.

The most common reflection attack is through support systems, specifics will vary depending on the product used. Not all are vulnerable to this.

Open a support ticket with support@company.com pretending to have a valid complaint. Obtain the unique e-mail address for your ticket such as support+2392@company.com, and use "Sign up" at https://company.slack.com/signup#/domain-signup with the support ticket e-mail address.

The support ticket system can leak the contents of the Slack invitation as a ticket update. Once you know the validation URL Slack allows you to sign up.