E-Mail Enumeration using Account Settings

HackerOne report #440638 by amateen57 on 2018-11-14:

Hi, It is possible to find all the Register emails which can be use for spam or other purposes

##POC:

1. Go to https://gitlab.com/profile and in main setting edit e-mail and press save.
2. capture request in burp suite
3. send request in intruder and in payload add your emails payload (use first 310 email for junks)
4. the server change email of account ( see pic 1) the email is attached but due to used email it cannot send any confirmation email to user.
5. after 310, from 311 the server cannot block extra email and from 311 emails enumeration is started. see pic 3 and 2.

Note first 310 request does not give ant information after it you can make list of used emails

Thanks

Impact

hacker make list of used emails by brute forcing

Attachments

Warning: Attachments received through HackerOne, please exercise caution! [REDACTED]

Security Notes

This is similar behavior to the registration page, where if an email address is already used a message is displayed saying so.