Skip to content

Malicious user can block gitlab.com users by exploiting 2FA inheritance logic

HackerOne report #637675 by marshall0705 on 2019-07-08, assigned to estrike:

Summary

2FA inheritance can be manipulated to indefinitely block users' access to gitlab.com

Steps to reproduce

  1. Top level group [A] has 2FA enforced
  2. Child subgroup [B] also has 2FA enforced (should be irrelevant however, due to inheritance)
  3. Child subgroup [C] (should be irrelevant, was just used to contain tests, no explicit 2FA requirement)
  4. Project [D] in subgroup (inherited 2FA from [A] and [B])
  5. UserX added to [D] only, never added to groups
    Structure: A / B / C / D

Theoretically the following structure should also exhibit the same behaviour: A / D

  1. Log in with UserX, which is then redirected to 2FA page (warning message attached)
  2. UserX attempts to remove self from groups, but cannot because they are not a member of the group

Impact

Users without 2FA can be denied access to gitlab by a malicious user adding them to a project that has inherited 2FA requirements. Users cannot remove themselves from the project as there is no option to do so, and cannot remove themselves from the parent group as they are not a member.

Examples

Experienced with personal account marshall0705 against project Holland And Barrett International / Platform as a Service / dan-test / dan-test. Admin account danmarshallhollbarr used to configure project/groups/members.

What is the current bug behavior?

User is not able to remove themselves from a project that is enforcing 2FA, therefore unable to navigate to other projects/groups.
Furthermore, removing the user from project does not lift the requirement.

What is the expected correct behavior?

Users should be able to leave projects that are enforcing 2FA.
Removing the user from the project should lift the 2FA requirement.

Relevant logs and/or screenshots

Please see attached screenshot for warning message, which does not include the option to remove self from the project. This is also shown after the user has been removed from the project by the owner.

Output of checks

This bug happens on GitLab.com

Results of GitLab environment info

N/A

Impact

An attacker can block users from accessing all gitlab.com groups/projects by adding a user to an arbitrary project that has inherited 2FA authentication. The user cannot remove themselves from the project, thus cannot navigate to any other resources.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!