Improper access control allows the attacker to comment in internal commit after they are no longer admin

HackerOne report #635512 by hx01 on 2019-07-04:

Description:

the attacker (previously maintainer) is able to comment in internal commits by replying to the notification email which were received before :

Steps to reproduce Setup:

1. victim@domain.tld (maintainer)
2. attacker@doamin.tld(maintainer)

PoC :

1. the analyst should comment on their commit with victim@domain.tld --> attacker@doamin.tld will receive the notification.
2. the analyst should remove the attacker@doamin.tld role after that
3. the analyst should reply to the notification email received.:
   
4. bingo! it will be posted to the commit :
   

Impact

this could be exploited to comment on the commits by the attacker who was accidentally added to the project or was removed .

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• reply.png
• post.png