Bypass accepting terms for deleting own account
HackerOne report #768297 by nsauk
on 2020-01-05, assigned to @jeremymatos:
Summary
User doesn't accept ToS before signing up via external provider (e.g. Github). On this step user can't turn back and delete their own account via UI, API also doesn't allow it. Using csrf-token from page sources we can bypass this limit and with own hand remove account.
Steps to reproduce
- Use two accounts (in separate browser sessions), one with ToS accepted, and second one on the step before accepting.
- On ToS-accepted account, go to https://gitlab.com/profile/account and copy HTML code of form for deleting user.
- On another account, insert this HTML code to page and replace authenticity_token with data from page source.
- Put username of deletable-by-this-hack user and press enter to submit the form and this way complete action for deleting account.
Impact
User can bypass accepting the ToS for using undocumented feature and remove their own data.
Sure, I don't think it's a real vulnerability, but it's definitely sort of privilege escalation due that normally any requests before accepting the ToS fails with 403 or redirect.
Examples
N/A
What is the current bug behavior?
User can bypass accepting the ToS and perform action that doesn't available in UI or API.
What is the expected correct behavior?
User can't bypass screen with two buttons (decline or accept), or user can delete own account in UI or API on any step of registration, including step before accepting the ToS.
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com
Results of GitLab environment info
N/A
Impact
Bypass accepting terms for deleting own account. Normally any requests fails with 403 or redirect before accepting the ToS.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!