Notes JSON is accessible without authentication for confidential issues
Comments on confidential issues can be intercepted if you know the
For example, get all comments from #18302 (comment 12427857): https://gitlab.com/gitlab-org/gitlab-ce/notes?target_id=2377752&target_type=issue&last_fetched_at=1465855717
The vulnerability is exploitable in a number of ways. For one, just iterate through every comment ID and scrape until you find the word "security" in there. Alternatively, if someone links to a comment in an issue, the URL won't be rendered by Banzai but the comment ID still is.
Also, it's not just new comments, just set the last_fetched_at to whenever you want! https://gitlab.com/gitlab-org/gitlab-ce/notes?target_id=2377752&target_type=issue&last_fetched_at=0000000
Try those URLs in incognito/private mode, they work :)
Do I get a vulnerability reward for this?