Disclosure of Private Group's Member and Milestone Details
Reported via HackerOne. Verified that users have to be authenticated, but no authorization appears to be required.
Title: Disclosure of Private Group's Member and Milestone Details
Scope: *.gitlab.com
Weakness: None
Severity: High
Link: https://hackerone.com/reports/420492
Date: 2018-10-08 03:20:02 +0000
By: @ngalog
Details: PoC: https://gitlab.com/-/boards/813851/users.json https://gitlab.com/-/boards/813851/milestones.json
This is possible because the board endpoint doesn't require authorisation to view the users.json and milestones.json
board with id 813851 belongs to the gruop 3711406, which is private.
Steps to reproduce
Make a group, set it to be private, and create a board, jot down the board id, and now you can view the member of the private group with these url
https://gitlab.com/-/boards/{board_id}/users.json https://gitlab.com/-/boards/{board_id}/milestones.json
Impact
Disclosure of Private Group's Member and Milestone Details
Timeline: 2018-10-08 03:21:47 +0000: @ngalog (comment) easiest way to verify probably is to go https://gitlab.com/-/boards/1/milestones.json https://gitlab.com/-/boards/1/users.json
and keep increasing the ID of the board, and you will notice none of them require authorisation.
Just remember to login before you visit the url.