Able to leak private email of any user given his/her username via graphql
HackerOne report #972355 by vaib25vicky on 2020-09-01, assigned to @rchan-gitlab:
Report
Summary
Graphql query user is leaking private email of users
query {
user(username:"<victim>"){
email
username
}
}
Steps to reproduce
(Step-by-step guide to reproduce the issue, including:)
- Have a account with private email settings
- Use graphql query to access the private email
query {
user(username:"<victim>"){
email
username
}
}- Done
Impact
Leaks private emails of users by just knowing their usernames. Attacker can use this bug for mass leakage of gitlab users private emails.
How To Reproduce
Please add reproducibility information to this section: