Skip to content

ESCALATED: 2FA requirement bypass using the API

HackerOne report #691592 by xanbanx on 2019-09-10, assigned to jmatos_bgtvf:

Hi GitLab Security team,

Summary

GitLab allows to require all users of a group to setup Two-factor authentication. The group owner can setup a grace period, and after that amount of time all group members who are not using 2FA yet are redirected to the personal 2FA settings page before being able continuing using GitLab.

However, this can be completely bypassed using the API. The same user can use the session cookie or a previously generated private token to access the API, in particular the group and all sub-resources, which actually mandate 2FA authentication for its members.

Using the session cookie, you can make all GET requests on the API. POST requests are not working due to CSRF protection. However, a previously generated private token can be arbitrarily used within the group.

Steps to reproduce

  1. Let user-a create a group, add some resources, e.g., a project with some issues
  2. Go to https://example.gitlab.com/groups/test-group-with-2fa/-/edit#js-permissions-settings, enable Require all users in this group to setup Two-factor authentication and set Time before enforced to 0. This means, that 2FA is required immediately
  3. As a second user user-b, first generate a private token with API scope, i.e., private-token-user-b
  4. As user-a add user-b to the previously created group with developer access
  5. As user-b you will now immediately be redirected to the 2FA settings page when using GitLab through the browser
  6. Extract the session cookie for user-b from the browser
  7. Perform the following API request:
curl  --cookie "_gitlab_session=<session-cookie-user-b>" https://example.gitlab.com/api/v4/groups

You will receive a JSON response with all groups you have access to including the one requiring 2FA. You can then use the group id of that group to make further requests to get information of all sub-resources, e.g, projects, issues, etc...

  1. You can also use the private token to authenticate. This even allows to make arbitrary post requests, e.g., to create a project withing the group:
curl --request POST --Header "Private-token: <private-token-user-b>" https://gitlab.com/api/v4/projects?namespace_id=<namespace-of-group>&name=my-project

Impact

The restriction of 2FA can be completely bypassed using the API. Because GitLab's API is very powerful, almost all operations can bypass a 2FA requirement, thus making this settings almost useless.

What is the current bug behavior?

API access is allowed using the session cookie and the private token although the required two factor authentication is not enabled.

What is the expected correct behavior?

API access with session cookie and private token need to be rejected until a user sets up 2FA.

Output of checks

This bug happens on GitLab.com

Best regards,
Xanbanx

Impact

See above

Edited by GitLab SecurityBot