Ability to abuse GitLab email issue creation for service verification
- Title: Access to GitLab's Slack by abusing issue creation from e-mail
- Weakness: Improper Authentication - Generic
- Severity: Critical (9.3)
- Link: https://hackerone.com/reports/218230
- Date: 2017-04-03 00:23:27 +0000
- By:
@intidc
Details: Hi there,
I found a way to become a verified GitLab team member on Slack.
By doing so, I gained access to dozens of channels possibly containing sensitive information. Note that I deleted my account intidc_hackerone immediately afterwards and did not join, read or engage with any of those channels.
How it works
-
The GitLab Slack login page allows anyone with a
@gitlab.come-mail address to join the team: -
GitLab allows new issues to be created when e-mailed to a unique e-mail address containing a secret token at
incoming+{username}/{projectname}+{token}@gitlab.com -
As you can see, this is a valid
@gitlab.come-mail address, so we can use the issues system to sign up for services like Slack, Facebook Workplace, ... -
These e-mail verification e-mails are e-mailed as new issue tickets to my project:
-
After clicking the verification link, all you need to do is set-up 2FA and you'll be able to access GitLab's Slack:
I took a screenshot of some channels as a proof of concept, but did not actually enter them
#Suggested fix
I've seen companies taking different approaches to prevent this from happening:
- Only allow employees to join the Slack group by invitation, like Facebook does.
- Enable SSO or other authentication methods, like PayPal does
These fixes can be carried out quickly but aren't waterproof: an attacker will still be able to gain access to similar services such as Facebook workplace or Yammer if they use similar authentication methods.
In the longer run, a safer approach would be:
- Requiring users to mail their issue tickets to a gitlab subdomain e-mail, such as
@reply.gitlab.com