company of the week: 8x8

You have almost certainly talked to 8x8 without hearing its name. Call a company's support line — the menu, the hold music, the hand-off to an agent — and there's a good chance 8x8 is the software running that call. It sells other businesses their phone system, their video meetings, their contact center, and the messaging that texts you a login code: the communications layer thousands of companies rent instead of building.

It runs a public bug bounty on HackerOne, which puts that estate in scope for outside research — neobotnet's full index is in /urls.

read from dns: twenty years of voip, half of it ghosts

Public DNS hands you the shape of the company first. 8x8's scope is twenty-three root domains, and they read like a timeline of the telephony business — two decades of buying across the industry, every brand keeping its own name. They sort into three layers:

8x8  ·  23 in-scope roots  ·  two decades of voip, read top to bottom
│
├─ the core, live ......... 8x8.com   the mothership
│                           8x8.vc    jitsi-powered video meetings
│                           8x8.studio · 8x8.id · 8x8.uk
│
├─ the acquisitions, live . wavecell.com ...... messaging apis (singapore, bought 2019)
│                           jitsi.net ......... open-source video (from atlassian, 2018)
│                           in2tel.ie ......... irish business-phone carrier
│                           call-control.ie ... irish carrier
│
└─ the ghosts, dark ....... packet8.net ........ 8x8's 2002 consumer brand — 150 hosts, 0 live
   (resolve, serve nothing) thinkingphones.com . former name of fuze — 19 hosts, 0 live
                            p8t.us · 8x8testa.com · 8x8testb.com · 8x8e2e.com · 8x8.co.uk
                            └─ 9 of the 23 roots serve no live page at all — all still in scope

That bottom layer is worth a second look. Nine of the twenty-three roots resolve but serve no live web page. packet8.net still carries 150 hostnames; not one answers HTTP. These are brands that stopped being products years ago, whose DNS was never torn down — and they're still in 8x8's bounty scope today. A root that resolves but serves nothing is where forgotten infrastructure runs unwatched, and it's exactly what a researcher checks first: old, unowned, still answering.

browse the dns layer in /dns →

read from http: the contact center, eighty-six times

Two hundred and thirty-seven hosts answer with a live page, and one title drowns out the rest. The most common page across the whole estate — eighty-six hosts — is a single screen, Welcome to Configuration Manager: the admin console for 8x8's Virtual Contact Center, where a customer wires up call queues, agents, hours, and routing.

Eighty-six of them, and the hostnames are a map — 8x8's global contact-center footprint, every regional cell named and counted, before you send a single request:

8x8 virtual contact center  ·  86 admin consoles, one "Configuration Manager" per cell
│
│   region             cells   hostnames
├─ north america ....... 60 ... vcc-na1 … vcc-na39   (+ c3-na1 … c3-na6, a second cluster)
├─ europe .............. 19 ... vcc-eu2 … vcc-eu12
├─ canada .............. 3  ... vcc-ca1 · vcc-ca2
├─ australia ........... 2  ... vcc-au1  (+ failover)
├─ asia-pacific ........ 1  ... vcc-ap1
└─ sandbox ............. 1  ... vcc-sb1
        │
        each cell = one config-manager  +  a "-b" failover twin  +  a "-vip" load balancer
        │
        edge:  79 of 86 answer as bare nginx  ·  only 3 sit behind cloudflare
               (every one of 8x8's customer login pages, by contrast, is behind cloudflare)

Two things jump out. The redundancy model is in the names — -b twins are failovers, -vip hosts are load balancers — and the edge is uneven: the customer login sits behind Cloudflare, while the console that configures the contact center mostly answers as bare nginx. None of it is a way in — a 200 means the gate loaded, not opened — but the enumeration is the point, and 8x8 agrees: vcc-*.8x8.com is one of the few wildcards it marks bounty-eligible.

see the configuration managers in /probes →

read from the urls: a clean surface, and what a dirty one looks like

Here the estate goes quiet. neobotnet indexed only 803 URLs for 8x8 — about two per live host, against a hundred thousand-plus for companies this size. When the live surface is nearly all login pages and config-manager gates, a passive crawl never gets past the front door; what it reached is the public part, the community forum and help center. And it's clean: no cloud keys, no credentials, no tokens. So the value here isn't a finding — it's a clean look at the two URL shapes a researcher checks first. Both fire on 8x8, and both turn out benign.

1 — redirect parameters: the login's return ticket. Many sign-in flows carry a parameter meaning "once you're logged in, send the user back here" — ReturnUrl, redirect_uri, next. On 8x8 they hand you back to community.8x8.com (…/login?ReturnUrl=https://community.8x8.com/…). The risk: the browser goes wherever that value points, so if the server doesn't check the address belongs to 8x8, an attacker can craft a link that logs you into the real 8x8 and bounces you to a look-alike phishing page — or skims the session token the login hands back. It's worsened by where that URL lands: server logs, browser history, the Referer header sent to every script on the page. Here every value points back to 8x8's own forum — a shape to test, not a finding.

see the redirect parameters in /urls →

2 — UUIDs: the identifier an attacker swaps. A UUID is a long random id; 8x8's forum puts them in URLs to point at a person, thread, or document — UserKey on /profile, MessageKey on a reply. Any id in a URL invites changing it: the standard test, IDOR (insecure direct object reference), is to swap your id for someone else's and see whether the server hands over their data without checking. On 8x8 these are the forum platform's own keys on already-public pages, so a swap shows you another public thread, not a private account — and they're random, not guessable user=1027 ids, which is the version that actually gets walked.

see the uuid identifiers in /urls →

Clean, then — but clean the way a locked building is empty. The data that matters sits behind the eighty-six configuration managers and the login wall, where a passive crawl can't reach. What the open URLs give you is the shapes you'd hunt if one of those doors were left ajar.

what it adds up to

8x8's core is well-kept: a Cloudflare-fronted login wall, a URL corpus with no secrets, internal tools behind sign-in. What it leaks is shape — and two pieces of it rank above the rest:

1. the contact-center configuration managers — eighty-six admin consoles, enumerable as a regional map, seventy-nine answering as bare nginx instead of behind the Cloudflare edge that fronts every customer login. Test how completely each login actually holds — and 8x8 already marks the surface bounty-eligible.
2. the non-production estate — sixty-four hostnames naming dev, staging, test, and UAT: work-staging.8x8.com, the 8x8staging.com root, the sandbox cell vcc-sb1. Non-prod is where production's rules go to relax.

Two things stated plainly, the way this series always closes. Every item above is a signal, not a confirmed vulnerability — neobotnet surfaces the shape; confirming exploitability is the researcher's job. And the right destination for anything live is 8x8's HackerOne program, not a blog post.

next week

neobotnet runs the same pass on a different in-scope program every week. Subscribe via RSS or browse the company of the week archive.