Ability To Delete User(s) Account Without User Interaction
HackerOne report #928255 by hx01 on 2020-07-20, assigned to @rchan-gitlab:
Summary:
Gitlab allows its user to exercise their GDPR rights (Right to Access/Delete) user data by sending an email to gdpr-request@gitlab.com however gitlab team doesn't ask for security question(i.e Date Of Birth) before deleting the user account moreover doesn't authenticate the incoming emails from their instance which allows an attacker to delete user accounts without user interaction :
REDACTED SCREENSHOT, ask someone with access to recover it from HackerOne if needed
Steps to reproduce
- Send an spoofed email from victim's email address to gdpr-request@gitlab.com from a reputable SMTP (e.g: Sendgrid):
REDACTED SCREENSHOT, ask someone with access to recover it from HackerOne if needed
- Victim will receive the following confirmation email:
3. In the next few days victim's account will be deleted :
REDACTED SCREENSHOT, ask someone with access to recover it from HackerOne if needed
Fix :
- Add second verification i.e ask for DOB,Government ID.
Impact
Since Gitlab doesn't verify the request with an Valid ID before triggering Right to Access/Deletion this breaches the GDPR Law(Article 15) & moreover allows an attacker to delete User Accounts without user interaction.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!