Bypass Email Verification using Salesforce -- Reproducible in gitlab.com
HackerOne report #617896 by ngalog on 2019-06-18, assigned to jmatos_bgtvf:
Summary
The salesforce login integration allows attacker to bypass email verification -- user is able to signup with any email domain they want, effectively bypass all email domain whitelist/blacklist restriction or any other 3rd party using gitlab instance's email address.
It is possible because salesforce allow admin to create user with arbitrary email, and I believe this is what gitlab engineer forgot to consider while implementing salesforce integration.
Please follow along to see how I was able to create an account ronworkingitlab@gitlab.com in gitlab.com
Steps to reproduce
- Visit https://bugcrowd-ngalog-3.oktapreview.com/
- Enter creds
ronworkingitlab@gitlab.com:P@ssw0rd! - Click salesforce to login salesforce
- Open new tab and visit https://gitlab.com/users/sign_in
- Click login with salesforce
- you will be logged in as
ronworkingitlab@gitlab.comby visitinghttps://gitlab.com/profile/emails
Impact
Bypass email domain restriction and able to signup with arbitrary email domain
What is the current bug behavior?
Able to signup with any email domain
What is the expected correct behavior?
should need email verification
Relevant logs and/or screenshots
Impact
described above
Attachments
Warning: Attachments received through HackerOne, please exercise caution!