Skip to content

Amazon EKS credentials leaked via HTML source code

HackerOne report #784130 by xanbanx on 2020-01-27, assigned to @cmaxim:

Hi GitLab Security Team,

Summary

I found a vulnerability where the Amazon EKS cluster is transmitted in plaintext to the GitLab frontend, where it is masked. However, this leaves the actual Amazon credentials being stored in the HTML source code of the page. A malicious admin user can simply copy those credentials and when he is removed from the GitLab instance he still has full Amazon access. Furthermore, an XSS vulnerability can simply readout the HTML page and thus steal the Amazon credentials.

Steps to reproduce

  1. As an admin go to `https://example.gitlab.com/admin/application_settings/integrations
  2. In the Amazon EKS section enter a fake account ID, access key id, and secret access key. Use my-secret-access-key for the secret access key and save the changes
  3. You see that the secret access key is masked.
  4. Now open the source of the website and inspect the secret access key form
  5. You well see HTML code similar to the one below:
<input value="my-secret-access-key" class="form-control" type="password" name="application_setting[eks_secret_access_key]" id="application_setting_eks_secret_access_key">

You notice that the value is set to my-secret-access-key although the value is masked in the UI.

Impact

The Amazon EKS credentials are leaked in the HTML source code. This vulnerability has a twofold impact:

  1. Any other admin can simply copy the credentials. If the admin is removed from the GitLab instance, this user still has full access to the Amazon account via the previously copied credentials.
  2. An XSS vulnerability can simply steal the Amazon credentials

What is the current bug behavior?

The Amazon EKS credentials are transmitted in plaintext to the frontend and then are masked there, leaving them in plain in the HTML source code.

What is the expected correct behavior?

Do not transmit the Amazon EKS credentials to the frontend. Just transmit a dummy masked value, e.g., *******.

Output of checks

(If you are reporting a bug on GitLab.com, write: This bug happens on GitLab.com)

Results of GitLab environment info

System information  
System:         Ubuntu 16.04  
Proxy:          no  
Current User:   git  
Using RVM:      no  
Ruby Version:   2.6.5p114  
Gem Version:    2.7.10  
Bundler Version:1.17.3  
Rake Version:   12.3.3  
Redis Version:  5.0.7  
Git Version:    2.24.1  
Sidekiq Version:5.2.7  
Go Version:     go1.6.2 linux/amd64

GitLab information  
Version:        12.7.0-pre  
Revision:       3aac4140d99  
Directory:      /opt/gitlab/embedded/service/gitlab-rails  
DB Adapter:     PostgreSQL  
DB Version:     10.9  
URL:            https://example.gitlab.com  
HTTP Clone URL: https://example.gitlab.com/some-group/some-project.git  
SSH Clone URL:  git@example.gitlab.com:some-group/some-project.git  
Elasticsearch:  no  
Geo:            yes  
Geo node:       Primary  
Using LDAP:     no  
Using Omniauth: yes  
Omniauth Providers: 

GitLab Shell  
Version:        11.0.0  
Repository storage paths:  
- default:      /var/opt/gitlab/git-data/repositories  
GitLab Shell path:              /opt/gitlab/embedded/service/gitlab-shell  
Git:            /opt/gitlab/embedded/bin/git

Best regards,
Xanbanx

Impact

See above.