Discloses private groups in service desk emails while transfering the (public) projects.
HackerOne report #602515 by uzsunny
on 2019-06-06, assigned to jmatos_bgtvf
:
Summary
While transferring the public projects the private groups will be disclosed in service desk emails.
Steps to reproduce
Go to gitlab.com create public project in your own profile
my user name is hack2hackgitab i created the project at https://gitlab.com/hack2hackgitab/test-project-hackerone-gitlab/
Encourage users to submit service desk emails.
In service desk emails reply from victim side to the attacker. and save the email for future attack.
Next victim tries to transfer his project to any private group and in real scenario the public project becomes private when you transfer the public project to private group.
Now victim transfers his public project to private group https://gitlab.com/private-test-group-hackerone/test-project-hackerone-gitlab
after transferring when you reply to the attackers service desk emails the private group is getting disclosed.
By this attacker can view the private group names in service desk emails after transferring the public project to private groups.
And from next time if the user transfers his project from one private group another group. The private groups also disclosed.
Impact
The attacker will able to disclose the private group names in service desk emails when the public project is transferred to private group.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!