Skip to content

Disclosure of Private Group's Member and Milestone Details

Reported via HackerOne. Verified that users have to be authenticated, but no authorization appears to be required.

Title:         Disclosure of Private Group's Member and Milestone Details
Scope:         *.gitlab.com
Weakness:      None
Severity:      High
Link:          https://hackerone.com/reports/420492
Date:          2018-10-08 03:20:02 +0000
By:            @ngalog

Details: PoC: https://gitlab.com/-/boards/813851/users.json https://gitlab.com/-/boards/813851/milestones.json

This is possible because the board endpoint doesn't require authorisation to view the users.json and milestones.json

board with id 813851 belongs to the gruop 3711406, which is private.

Steps to reproduce

Make a group, set it to be private, and create a board, jot down the board id, and now you can view the member of the private group with these url

https://gitlab.com/-/boards/{board_id}/users.json https://gitlab.com/-/boards/{board_id}/milestones.json

Impact

Disclosure of Private Group's Member and Milestone Details

Timeline: 2018-10-08 03:21:47 +0000: @ngalog (comment) easiest way to verify probably is to go https://gitlab.com/-/boards/1/milestones.json https://gitlab.com/-/boards/1/users.json

and keep increasing the ID of the board, and you will notice none of them require authorisation.

Just remember to login before you visit the url.