View the name of a private project, through notification settings

HackerOne report #637230 by iframe on 2019-07-07, assigned to estrike:

Hello, I found something interesting, we can look at the name of a private project (and it is even possible to receive notifications about all its changes) in a specific case.

1 . And for starters, I created a public project on account ==A==

2 . Next, from account ==B==, I recognized the project identifier
Project ID: 13105788

3 . Next account ==B== subscribed to project notifications
gitlab1.png

4 . Account ==A== made the project private
gitlab1.png

5 . Next we go to account ==B== and see if the notification settings remain.

Yes, they stayed, and it's damn cool)
gitlab1.png

6 . And now, to make sure that this is not visual, I will change the name of the project from account ==A==

7 . Now let's see from account ==B== if the name of the project has changed.
gitlab1.png

Oh yeah)
===

Impact:

Thus, if the project was opened and we managed to subscribe to its notifications, even after closing we can follow it.

Impact

Thus, if the project was opened and we managed to subscribe to its notifications, even after closing we can follow it.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

Edited by GitLab SecurityBot