Attacker is able to access Commit ID, Team Member name and comments when directly addressed
HackerOne report #645412 by
brijeshshah13 on 2019-07-16, assigned to
Steps to reproduce
Let's say there are two accounts:
- Create a project from account firstname.lastname@example.org with the following permissions:
Note that the project visibility should be
- From victim account, comment or start a thread on any commit directly addressing the attacker using
@sign followed by the username, and you should receive it's notification on To-Do List on Gitlab of email@example.com, like this:
Victim's comment or thread message:
Attacker's Todo List on GitLab:
As seen from the above screenshots, an attacker has easy access to Team member who commented, Commit ID and the comment itself even though the attacker is not a project member. Please let me know if you need more info.
An attacker will be able to view Team member name, Commit ID, and all comments which are addressed to him directly which shouldn't be visible to him using this vulnerability.
Warning: Attachments received through HackerOne, please exercise caution!