Annual pentest finding (2021) - Change Email Address without Re-authentication

Location

https://gitlab.com/-/profile (user_email)

Impact

Change of the user’s email address without confirming their identity via their password or old email address could lead to an account takeover, in this case though it would only be possible from the local system and is more of a possibility due to finding NCC-GTLB002-008 on page 13, as an attacker with access to the local system could gain access to the account and make changes.

Description

Gitlab.com provided a method for users to change their email address through normal func tionality, but did not require the current password to be submitted for the address to be changed, an email is sent to the new email address for confirmation, but no email is sent to the old email address to confirm the change was wanted. If there is no requirement to submit the current password, an attacker who had hijacked a legitimate user’s session could take over the user’s account by changing the email address to an arbitrary value and subsequently triggering a password reset. Due to a confirmation email sent to the user’s original email address, this issue has been lowered to a low from a medium, this is due to the possibility that an attacker is changing the email address on a system that the user has left unattended with a high chance of their email account open.

Recommendation

Any changes to a user account should require the user’s current password.

Reference

OWASP - Require Re-authentication for Sensitive Features¶ https://cheatsheetseries.owasp.org/cheatsheets/A uthentication_Cheat_Sheet.html#require-re-authentication-for-sensitive-features