Don't generate valid Gitlab licenses through https://customers.stg.gitlab.com
HackerOne report #726223 by rpadovani
on 2019-10-31, assigned to @cmaxim:
Summary
I can create valid Gitlab licenses through https://customers.stg.gitlab.com
Steps to reproduce
- Register as standard user to
https://customers.stg.gitlab.com
- Buy a license for Gitlab Ultimate
- When asked for a credit card, insert one of these: https://stripe.com/docs/testing#cards
- You now have a license and a invoice from Gitlab (that could be used also for tax frauds)
- Insert the license in a instance
- Free Gitlab Ultimate!
Impact
Free Gitlab Ultimate
What is the current bug behavior?
Staging is accessible and generates valid licenses
What is the expected correct behavior?
Staging shouldn't be accessible
Relevant logs and/or screenshots
Attached the license and the invoice
Impact
Free Gitlab Ultimate, valid invoices when nothing was paid
Attachments
Warning: Attachments received through HackerOne, please exercise caution!