๐งฐ Support, Admin, and Recovery Flow Abuse
Intro: Many mature products defend normal user flows better than they defend support overrides, impersonation, recovery, or delegated administration. Attackers notice this quickly because these workflows often collapse multiple trust boundaries into one operational shortcut.
What this page includes
- abuse patterns in support and admin tooling
- recovery flow risks that lead to account takeover or tenant compromise
- controls for impersonation, override, and break-glass style actions
- telemetry and notification expectations
High-risk flow families
Support impersonation
Risks:
- agents can act across tenants too broadly;
- session duration is too long;
- reasons are not captured;
- actions performed during impersonation are weakly logged;
- customer-visible notice is missing.
Account recovery
Risks:
- recovery paths weaker than login paths;
- support-assisted reset bypassing MFA assurance;
- email change and password reset sequence abuse;
- social engineering against support or operations.
Delegated administration
Risks:
- organization admins can escalate beyond intended scope;
- role grant flows are not re-authenticated;
- stale delegated access remains after org changes;
- invite acceptance or admin approval paths are replayable.
Minimum control expectations
- short-lived impersonation sessions;
- reason capture and case linkage;
- explicit policy for which staff roles can impersonate whom;
- customer-visible audit trail or notification for especially sensitive actions;
- re-authentication for recovery and privileged role change;
- dual approval for the most sensitive overrides or tenant-wide actions.
Review questions
- Which normal control is being bypassed here, and why?
- Could a compromised support account act across many tenants?
- What evidence exists after the action completes?
- Would the customer know something sensitive happened?
Related pages
Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.