"remember_user_token" is not getting revoked - Attacker able to takeover victim account
HackerOne report #896225 by vaib25vicky on 2020-06-11, assigned to @ngeorge1:
Summary
Gitlab user have a option to revoke active session which deletes the user session and prevent attacker to access his account. BUT the remember_user_token is not getting revoked and with the help of only this token one is able to login as well as able to create new _gitlab_session token.
Steps to reproduce
(Step-by-step guide to reproduce the issue, including:)
- login as
testUserand chooseremember meoption - copy
remember_user_tokenand open new browser or incognito window - on new browser/incognito window login as
testUseragain - from original browser/window delete active session by going over settings
- refresh new browser/incognito window , you'll see your session has been revoked
- Now, paste the
remember_user_tokenand its value and refresh - Voila, you are login as
testUseragain even when session get revoked. - Go to cookies and you'll see a new
_gitlab_sessiontoken has also been created.
Impact
remember_user_token is not getting revoked - Attacker able to takeover victim account
What is the current bug behavior?
remember_user_token is not getting revoked along with session token
What is the expected correct behavior?
remember_user_token should also get revoke along with session cookie beacuse then there is no point of revoking only session token. Attacker can again login to the victim account even when he has revoke the session and access his sensitive information or change his settings
Output of checks
This bug happens on GitLab.com
Please let me know if you need more info.
Cheers,
Vaibhav Singh
Impact
remember_user_token is not getting revoked even when user opt to revoke the session and allowing an attacker to access the vicitm account again using only remember_user_token