Incomplete handling of account deletion
HackerOne report #503823 by brdoors3 on 2019-03-01, assigned to asaba:
Hi team,
I noticed an access control issue related to deleting an account at https://gitlab.com
POC
1 access https://gitlab.com/profile/account > delete account
When the user owns a group, the following message is displayed:
2 access this group and delete
3 back to https://gitlab.com/profile/account > delete account
The delete account button is now available
4 in another tab access https://gitlab.com/dashboard/groups > create a new group
5 back to the step 3 tab > confirm the account password
Response: Account scheduled to removal
Impact
The message is incorrect for the two possible scenarios:
- if the account is actually deleted > this should not be possible because there is a group where the user is the owner
- if the account is not deleted > the message should not be returned
Edited by Antony Saba