One Click Account Takeover using SAML Group SSO
HackerOne report #627000 by ngalog on 2019-06-24, assigned to jritchey:
Summary
I have been struggling with this "bug" for some time, it seems the security impact is not clearly explained to the end user when they are presented with the SAML SSO page.
So the end result could very well be account takeover by just using one click from user.
Steps to reproduce
- VIsit https://bugcrowd-ngalog-3.oktapreview.com/ and login using
gitlab4@gitlab.com:P@ssw0rd! - As a victim loin gitlab.com
- Visit https://gitlab.com/groups/new-jjj-groupaaa/-/saml/sso and click authorize
From now on, the group owner, is able to login you victim's account if you don't have the 2FA setup.
Also, the group owner would be able to use SCIM token to change your user's email address, name, username, just because you have joined his group using SAML.
Impact
The bug I am reporting here is that, the screen presented in here 
, is not enough to tell user that the security impact of clicking Authorize
The description
Only proceed if you trust https://bugcrowd-ngalog-3.oktapreview.com/app/bugcrowdngalog3_gitlabssosaml_1/exkg7q4dajQl0DicA0h7/sso/saml to control your GitLab account sign in.
has not explained clearly what does it mean to have someone to control your Gitlab Account Sign in.
A optimal way to tell user the risk while authorizing, is by presenting a text something like
Caution: By clicking Authorize, you are authorizing the group owner to be able to log in your personal account to view your personal project, change your email address, username or name. Only proceed if you trust the group owner fully.
Examples
https://gitlab.com/groups/new-jjj-groupaaa/-/saml/sso
What is the current bug behavior?
The description
Only proceed if you trust https://bugcrowd-ngalog-3.oktapreview.com/app/bugcrowdngalog3_gitlabssosaml_1/exkg7q4dajQl0DicA0h7/sso/saml to control your GitLab account sign in.
has not explained clearly what does it mean to have someone to control your Gitlab Account Sign in.
What is the expected correct behavior?
A optimal way to tell user the risk while authorizing, is by presenting a text something like
Caution: By clicking Authorize, you are authorizing the group owner to be able to log in your personal account to view your personal project, change your email address, username or name. Only proceed if you trust the group owner fully.
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com
Impact
.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!