HackerOne reported issue: Phishing via OAuth applications impersonating GitLab
GitLab allows a user to create an OAuth application with any name. By using a name similar to "GitLab" an attacker can create an OAuth application with a callback URI controlled by the attacker and send a link to another user:
When a user clicks on that link they will be shown something like this:
To the untrained eye it appears that GitLab is requesting access to the user's API. If a user clicks "Allow" the attacker will be sent a code (via the callback URI) that can be used to retrieve an access token to impersonate the user.
To note: GitHub allows similar behavior but the access they provide is much more limited.
Include text to warn users that this is a 3rd party application and include information about the author
An application called "[name]" is requesting access to your GitLab account. This application was created by >[username and profile link].
Please note that this application is not provided by GitLab and you should verify its authenticity before allowing access.
This application will be able to:
- Access your API, allowing full read and write access to your account.
This is how the App authorization dialog looks like in new Navigation design.