Skip to content

HackerOne reported issue: Phishing via OAuth applications impersonating GitLab

https://hackerone.com/reports/226117

GitLab allows a user to create an OAuth application with any name. By using a name similar to "GitLab" an attacker can create an OAuth application with a callback URI controlled by the attacker and send a link to another user: https://gitlab.com/oauth/authorize?client_id=<client_id>&redirect_uri=<callback>&response_type=code&state=blah

When a user clicks on that link they will be shown something like this:

Selection_274

To the untrained eye it appears that GitLab is requesting access to the user's API. If a user clicks "Allow" the attacker will be sent a code (via the callback URI) that can be used to retrieve an access token to impersonate the user.

To note: GitHub allows similar behavior but the access they provide is much more limited.

Implementation Proposal

Include text to warn users that this is a 3rd party application and include information about the author

Authorization required

An application called "[name]" is requesting access to your GitLab account. This application was created by >[username and profile link].

Please note that this application is not provided by GitLab and you should verify its authenticity before allowing access.

This application will be able to:

  • Access your API, allowing full read and write access to your account.

Update

This is how the App authorization dialog looks like in new Navigation design.

image

Edited by Kushal Pandya