User's activity-related personal information are exposed in API event response even enabled private profile
Link: https://hackerone.com/reports/417725
By: @ngalog
Details: Docs link: https://gitlab.com/help/user/profile/index.md#private-profile
PoC:
- https://gitlab.com/golduserngalog has no user activities shown in response
- But https://gitlab.com/api/v4/users/2811996/events show my personal activity anyway
Impact
User's activity-related personal information are exposed in API event response even enabled private profile