Hyperlink Injection on Email Notifications
- Title: Hyperlink Injection on Email Notifications
- Types: Unvalidated / Open Redirect
- Link: https://hackerone.com/reports/167630
- Date: 2016-09-11 15:59:29 -0400
- By: corb3nik
Details:
Description
A user can change their name to a URL in order to send notification emails containing malicious hyperlinks.
Using this vulnerability, an attacker can abuse the Gitlab email system to send malicious emails to any user.
Steps to Reproduce
Let's assume that an attacker would like to compromise the system of the user john@doe.com (john@doe.com is not a Gitlab user).
Create a Gitlab account with the email john@doe.com
Navigate to https://gitlab.com/profile
Change your name to http://evilsite.com
Change your password
The user john@doe.com will receive a legitimate Gitlab email containing a potentially malicious URL. This issue will occur with other notifications too like adding a new email address through https://gitlab.com/profile/emails.
Consequences
This permits users to send malicious/phishing links to potential clients. It could also have an effect on how spam filters treat Gitlab.com emails.
Timeline:
2016-09-12 11:27 (-0400): @rspeicher (comment) @Corb3nik Thank you for the report.
- What email client is this? I think this would require that the client autolinks URL-like text, since we don't do any kind of linking for the name ourselves.
- The default configuration for GitLab requires that users confirm their email address before they can sign in. This would prevent an attacker from signing up with the victim's email address and then changing their name to something malicious.
2016-09-12 13:43 (-0400): @Corb3nik (comment) @rspeicher Thank you for the quick response.
I have checked the source code of the emails I received and you're right, it is the mail client that adds the clickable links.
With that said, I have tested this behaviour on two mail clients: MailMate and Gmail.
Since Gmail behaves this way, I would still suggest proceeding with this report as it affects a wide audience.
As for your second point, you are correct; my mistake. I have found an alternative though :
- Create a Gitlab account.
- Browse to https://gitlab.com/profile/emails.
- Add the email address of the victim.
- Browse to https://gitlab.com/profile/notifications.
- Change the notification email to the victim's email.
- Set the
Global notification level
toWatch
- Browse to https://gitlab.com/profile/emails and add a new email address.
The victim email will now receive a notification with the malicious URL.