Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #222508
Closed
Open
Issue created Jun 16, 2020 by GitLab SecurityBot@gitlab-securitybotReporter

"remember_user_token" is not getting revoked - Attacker able to takeover victim account

HackerOne report #896225 by vaib25vicky on 2020-06-11, assigned to @ngeorge1:

Summary

Gitlab user have a option to revoke active session which deletes the user session and prevent attacker to access his account. BUT the remember_user_token is not getting revoked and with the help of only this token one is able to login as well as able to create new _gitlab_session token.

Steps to reproduce

(Step-by-step guide to reproduce the issue, including:)

  • login as testUser and choose remember meoption
  • copy remember_user_token and open new browser or incognito window
  • on new browser/incognito window login as testUser again
  • from original browser/window delete active session by going over settings
  • refresh new browser/incognito window , you'll see your session has been revoked
  • Now, paste the remember_user_token and its value and refresh
  • Voila, you are login as testUser again even when session get revoked.
  • Go to cookies and you'll see a new _gitlab_session token has also been created.

Impact

remember_user_token is not getting revoked - Attacker able to takeover victim account

What is the current bug behavior?

remember_user_token is not getting revoked along with session token

What is the expected correct behavior?

remember_user_token should also get revoke along with session cookie beacuse then there is no point of revoking only session token. Attacker can again login to the victim account even when he has revoke the session and access his sensitive information or change his settings

Output of checks

This bug happens on GitLab.com

Please let me know if you need more info.

Cheers,
Vaibhav Singh

Impact

remember_user_token is not getting revoked even when user opt to revoke the session and allowing an attacker to access the vicitm account again using only remember_user_token

Assignee
Assign to
Time tracking