Reported via HackerOne. Verified that users have to be authenticated, but no authorization appears to be required. ---- ``` Title: Disclosure of Private Group's Member and Milestone Details Scope: *.gitlab.com Weakness: None Severity: High Link: https://hackerone.com/reports/420492 Date: 2018-10-08 03:20:02 +0000 By: @ngalog ``` Details: PoC: https://gitlab.com/-/boards/813851/users.json https://gitlab.com/-/boards/813851/milestones.json This is possible because the board endpoint doesn't require authorisation to view the users.json and milestones.json board with id 813851 belongs to the gruop 3711406, which is private. ## Steps to reproduce Make a group, set it to be private, and create a board, jot down the board id, and now you can view the member of the private group with these url https://gitlab.com/-/boards/{board_id}/users.json https://gitlab.com/-/boards/{board_id}/milestones.json ## Impact Disclosure of Private Group's Member and Milestone Details Timeline: 2018-10-08 03:21:47 +0000: @ngalog (comment) easiest way to verify probably is to go https://gitlab.com/-/boards/1/milestones.json https://gitlab.com/-/boards/1/users.json and keep increasing the ID of the board, and you will notice none of them require authorisation. Just remember to login before you visit the url. ---