Email usurpation through the public mail of all GitLab user's mail
HackerOne report #454335 by bubbounty on 2018-12-03:
Summary: Bypass of the email checks when a user add an email to his profile
Description: When a user wishes add emails to his account, some checks are carried out ( is the email a valid email ?, is the email already taken ?, etc ...). Below is a simple way to bypass these checks and by hence to usurp all gitlab user's emails.
Steps To Reproduce:
Just add an e-mail and intercept the request with a proxy tool such as Burp Suite. You will have to change the email[email]. Here is an exemple (take note that the @ character for the email in bcc is double-encoded):
After that, indicate this new email as the public one on your profile and the result will be as follow:
Additionnaly, you can obtain strange results as showed bellow :
Impact
Public email address should be in a status verified before to be usable. The new email regex check should be more restrictive.
By this way, a bad guy can usurp other email addresses, already existing on the system.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!