We are stealing the IP addresses of those who opened our project.

HackerOne report #506507 by iframe on 2019-03-07, assigned to dappelt:

Hello, I discovered a vulnerability that allows you to steal the IP addresses of those who open our project, this is already very funny for me, because this is the third such vulnerability haha)

gith1.png

open my project and i can steal your IP
https://gitlab.com/i[REDACTED]t

GET from [REDACTED]

Accept-Language: ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7  
Accept-Encoding: gzip, deflate, br  
Referer: https://gitlab.com/  
Accept: image/webp,image/apng,image/*,*/*;q=0.8  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36  
Connection: keep-alive  
Host: sia.one  
Content-Length:   
Content-Type:

Steps:

  1. open https://gitlab.com/ /test/edit
  2. open Badges
    [REDACTED].png)
  3. Inject

Impact

We are stealing the IP addresses of those who opened our project.

Attachments

Warning: Attachments received through HackerOne, please exercise caution! [REDACTED]

Edited by Costel Maxim