User is allowed to set an email as Notification email even without verifying the new email

HackerOne report #471907 by rgupt on 2018-12-25:

Summary: When a user signs up with a new email address, before allowing the user to login with that email address on Gitlab, the user is asked to Confirm the email address. However, when a user tries to add a new email address from the User Settings page, user is allowed to select that email for all the Notifications even when the user has not confirmed their new email address.

Steps To Reproduce:

1. Go to Gitlab.com & signup with a new email account.
2. User will be asked to confirm their email address before allowing the user to login.
3. Now confirm the email address and login to your account.
4. Navigate to User Settings -> Emails Page. https://gitlab.com/profile/emails
5. Add a new email address. Do not confirm that email address yet.
6. Now navigate to User Settings -> Notifications page. https://gitlab.com/profile/notifications
7. Select the newly added unconfirmed email as the Notification email.
8. User is allowed to select the unconfirmed email as the Notification email without any restriction.
   

Impact

Hacker can use this vulnerability to promote their own project or other projects and send 1000s of emails to 1000s of users, without requiring the user to confirm the newly added email account.

Proposal

Users should only be able to set confirmed email addresses as their notification email address in /profile/notifications.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• Email_1.PNG
• Email_2.PNG