A few weeks ago we brought to your attention Ticket Trick Help Desk Hacking and explained the wide variety of systems which could be susceptable to this attack. Further information on the use of this attack vector to infiltrate Google’s help desk application, Buganizer, is available via the medium article.
Synopsis
While the ticket exploit mentioned above did allow privilege escalation it did not give the attacker access to Google’s internal MOMA system.
Notification of internal support tickets was possible using the same exploit.
Further exploitation resulted from the use of internal api endpoints that did not have proper access control systems. Pretty much game over at that stage.
I highly recommend reading the article above as there are so many ways to use and pivot around this attack vector.
Recommendations
There are a wide variety of systems susceptible to this attack. If you or your company run systems like those described it may be useful to contact us for an assessment.