HackerOne reported issue: /autocomplete/users.json can be used to enumerate users without authenticating
I've verified this finding. An attacker can walk all usernames without having an account.
Title: Backend endpoint can be used to perform User ID and Username enumeration of gitlab.com (and self-hosted gitlab installations)
Weakness: Information Disclosure
Severity: Low
Link: https://hackerone.com/reports/226064
Date: 2017-05-04 11:06:40 +0000
By: @evelynleems
Details:
The endpoint (/autocomplete/users.json
) can be accessed without a valid login and allows userids and usernames to be enumerated.
To replicate the attack:
- Open Chrome in incognito mode.
- Access
https://<your_gitlab_url>/autocomplete/users.json?search=&per_page=20&active=&project_id=&group_id=&skip_ldap=&todo_filter=&todo_state_filter=¤t_user=&push_code_to_protected_branches=&author_id=1001&skip_users=
The user ids and usernames can be enumerated through the parameter author_id
.
This vulnerability can be leveraged to identify userids and usernames of self-hosted installations of gitlab users. An example of an attack would be:
- Search for
Sign in gitlab
using Google Search. This would return a list of public accessible self-hosted installations of gitlab. - Attempt the vulnerable endpoint on the returned sites.
This issue is observed in our self-hosted installation of Gitlab CE v9.1.2.
Timeline:
2017-05-04 11:12:20 +0000: @evelynleems (comment)
Just to add on, a script can be created to iterate the author_id
to obtain the list of userids and usernames on the system.