Verifying any emails including *@gitlab.com (This vulnerability is on gitlab.com main site)
HackerOne report #762568 by zapprising
on 2019-12-20, assigned to @estrike:
NOTE! Thanks for submitting a report! Please replace all the (parenthesized) sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report!
Summary
(This vulnerability allow malicious user to verify any email including *[@]gitlab.com emails )
Steps to reproduce
-
Go to -> https://gitlab.com/users/sign_in
-
Click on register and create profile with email any email id xyz@gitlab.com
-
Gitlab will register without verifying email. Now go to -> https://gitlab.com/profile
-
Change email there with your own email -> xyz@gmail.com and on public email set xyz@gitlab.com
-
Now go to your gmail id xyz@gmail.com confirm your link and go to -> https://gitlab.com/profile/emails (You will see both email xyz@gmail.com and xyz@gitlab.com verified)
-
Now go to -> https://gitlab.com/profile and set -> xyz@gitlab.com as your primary email id
That's it
(1. any preconditions in the environment)
(2. complete HTTP or API request, or)
(3. user action, )
(4. etc.)
Impact
(This vulnerability allow users to verify any emails including gitlab.com emails)
Examples
(If the bug is project related, please create an example project and export it using the project export feature)
(If you are using an older version of GitLab, this will also help determine whether the bug has been fixed in a more recent version)
(If the bug can be reproduced on GitLab.com without violating the Rules of Engagement
as outlined in the program policy, please provide the full path to the project.)
What is the current bug behavior?
(What actually happens, include relevant screenshots, API results, or complete HTTP requests)
What is the expected correct behavior?
(What you should see instead, include relevant screenshots, API results, or complete HTTP requests)
Relevant logs and/or screenshots
(Paste any relevant logs - please use code blocks (```) to format console output,
logs, and code as it's very hard to read otherwise.)
Output of checks
(If you are reporting a bug on GitLab.com, write: This bug happens on GitLab.com)
Results of GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:env:info
)
(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production
)
Impact
The attacker can verify any email on gitlab.com including *[@]gitlab.com domain email also.
I am sending proof of concept video
Kindly have a look
Regards
Zahid
Attachments
Warning: Attachments received through HackerOne, please exercise caution!