HackerOne reported issue: /autocomplete/users.json can be used to enumerate users without authenticating

I've verified this finding. An attacker can walk all usernames without having an account.

---

Title: Backend endpoint can be used to perform User ID and Username enumeration of gitlab.com (and self-hosted gitlab installations)

Weakness: Information Disclosure

Severity: Low

Link: https://hackerone.com/reports/226064

Date: 2017-05-04 11:06:40 +0000

By: @evelynleems

Details: The endpoint (/autocomplete/users.json) can be accessed without a valid login and allows userids and usernames to be enumerated.

To replicate the attack:

1. Open Chrome in incognito mode.
2. Access https://<your_gitlab_url>/autocomplete/users.json?search=&per_page=20&active=&project_id=&group_id=&skip_ldap=&todo_filter=&todo_state_filter=&current_user=&push_code_to_protected_branches=&author_id=1001&skip_users=

The user ids and usernames can be enumerated through the parameter author_id.

This vulnerability can be leveraged to identify userids and usernames of self-hosted installations of gitlab users. An example of an attack would be:

1. Search for Sign in gitlab using Google Search. This would return a list of public accessible self-hosted installations of gitlab.
2. Attempt the vulnerable endpoint on the returned sites.

This issue is observed in our self-hosted installation of Gitlab CE v9.1.2.

Timeline: 2017-05-04 11:12:20 +0000: @evelynleems (comment) Just to add on, a script can be created to iterate the author_id to obtain the list of userids and usernames on the system.