Attacker is able to access Commit ID, Team Member name and comments when directly addressed

HackerOne report #645412 by brijeshshah13 on 2019-07-16, assigned to akelly:

Steps to reproduce

Let's say there are two accounts:

• victim@gmail.com
• attacker@gmail.com

1. Create a project from account victim@gmail.com with the following permissions:

Note that the project visibility should be internal.

2. Go to profile of victim@gmail.com from attacker@gmail.com and subscribe to all events, like this:

3. From victim account, comment or start a thread on any commit directly addressing the attacker using @ sign followed by the username, and you should receive it's notification on To-Do List on Gitlab of attacker@gmail.com, like this:

Victim's comment or thread message:

Attacker's Todo List on GitLab:

As seen from the above screenshots, an attacker has easy access to Team member who commented, Commit ID and the comment itself even though the attacker is not a project member. Please let me know if you need more info.

Best Regards,
Brijesh.

Impact

An attacker will be able to view Team member name, Commit ID, and all comments which are addressed to him directly which shouldn't be visible to him using this vulnerability.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• permissions.png
• subscribe.png
• comment.png
• todo.png