Skip to content

GitLab Next

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
GitLab FOSS
GitLab FOSS
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 0
    • Issues 0
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
    • Iterations
  • Merge Requests 0
    • Merge Requests 0
  • Requirements
    • Requirements
    • List
  • Security & Compliance
    • Security & Compliance
    • Dependency List
    • License Compliance
  • Operations
    • Operations
    • Incidents
    • Environments
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • Code Review
    • Insights
    • Issue
    • Repository
    • Value Stream
  • Snippets
    • Snippets
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Create a new issue
  • Commits
  • Issue Boards
  • GitLab.org
  • GitLab FOSSGitLab FOSS
  • Issues
  • #30366

Closed
Open
Opened Apr 03, 2017 by Chris@MrChrisW☯Contributor

Ability to abuse GitLab email issue creation for service verification

  • Title: Access to GitLab's Slack by abusing issue creation from e-mail
  • Weakness: Improper Authentication - Generic
  • Severity: Critical (9.3)
  • Link: https://hackerone.com/reports/218230
  • Date: 2017-04-03 00:23:27 +0000
  • By: @intidc

Details: Hi there,

I found a way to become a verified GitLab team member on Slack. By doing so, I gained access to dozens of channels possibly containing sensitive information. Note that I deleted my account intidc_hackerone immediately afterwards and did not join, read or engage with any of those channels.

How it works

  • The GitLab Slack login page allows anyone with a @gitlab.com e-mail address to join the team:

  • GitLab allows new issues to be created when e-mailed to a unique e-mail address containing a secret token at incoming+{username}/{projectname}+{token}@gitlab.com

  • As you can see, this is a valid @gitlab.com e-mail address, so we can use the issues system to sign up for services like Slack, Facebook Workplace, ...

  • These e-mail verification e-mails are e-mailed as new issue tickets to my project:

  • After clicking the verification link, all you need to do is set-up 2FA and you'll be able to access GitLab's Slack:

I took a screenshot of some channels as a proof of concept, but did not actually enter them

#Suggested fix

I've seen companies taking different approaches to prevent this from happening:

  • Only allow employees to join the Slack group by invitation, like Facebook does.
  • Enable SSO or other authentication methods, like PayPal does

These fixes can be carried out quickly but aren't waterproof: an attacker will still be able to gain access to similar services such as Facebook workplace or Yammer if they use similar authentication methods.

In the longer run, a safer approach would be:

  • Requiring users to mail their issue tickets to a gitlab subdomain e-mail, such as @reply.gitlab.com

cc @briann @stanhu

https://gitlab.com/gitlab-com/infrastructure/issues/1511

Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None
Reference: gitlab-org/gitlab-foss#30366