Skip to content

User's activity-related personal information are exposed in API event response even enabled private profile

Link:          https://hackerone.com/reports/417725
By:            @ngalog

Details: Docs link: https://gitlab.com/help/user/profile/index.md#private-profile

PoC:

Screen_Shot_2018-10-03_at_12.16.55_AM Screen_Shot_2018-10-03_at_12.16.52_AM

Impact

User's activity-related personal information are exposed in API event response even enabled private profile