HackerOne reported issue: Phishing via OAuth applications impersonating GitLab
https://hackerone.com/reports/226117
GitLab allows a user to create an OAuth application with any name. By using a name similar to "GitLab" an attacker can create an OAuth application with a callback URI controlled by the attacker and send a link to another user: https://gitlab.com/oauth/authorize?client_id=<client_id>&redirect_uri=<callback>&response_type=code&state=blah
When a user clicks on that link they will be shown something like this:
To the untrained eye it appears that GitLab is requesting access to the user's API. If a user clicks "Allow" the attacker will be sent a code (via the callback URI) that can be used to retrieve an access token to impersonate the user.
To note: GitHub allows similar behavior but the access they provide is much more limited.
Implementation Proposal
Include text to warn users that this is a 3rd party application and include information about the author
Authorization required
An application called "[name]" is requesting access to your GitLab account. This application was created by >[username and profile link].
Please note that this application is not provided by GitLab and you should verify its authenticity before allowing access.
This application will be able to:
- Access your API, allowing full read and write access to your account.
Update
This is how the App authorization dialog looks like in new Navigation design.