Ability to change real URL in the slack messages generated by slack integration, possibility to direct user to malicious site to steal login data
HackerOne report #1310778 by rafaltrojniak
on 2021-08-18, assigned to GitLab Team:
Report | Attachments | How To Reproduce
Report
Summary
Slack integration is vulnerable to injecting malicious slack macros to slack messages generated by this integration.
As an example, those slack macros can derieve the user and force him to to open malicious URL instead of legit gitlab url.
Steps to reproduce
Preconditions:
- Gitlab project that is open for MergeRequests from anyone
- This gitlab project has Slack integration enabled and configured, and people look at those slack messages.
User action leading to exploitation:
- Fork the original project
- Create a branch
- Create MergeRequest from forked repository to original repository with injected slack macros in the MergeRequest title. Example macro aiming to change URL is
><http://evil.localhost|Some MR title
This will create MergeRequest and trigger slack notification with URL changed to malicious for MR description part. - Change MergeRequest title to something not suspicious, like
Some MR title
. This does not send slack notification, only leaves the event in the gitlab MR history.
User action:
Using slack user clicks on the title in notification created by gitlab-slack integration
Impact
User is mislead and can click on the link that will direct him to malicious site.
Examples
This is a link to example malicious MergeRequest
https://gitlab.com/rafaltrojniak/bugbounty/-/merge_requests/1
This is my private project, but will also work in the forking scenario described above.
What is the current bug behavior?
Slack macros found in MergeRequest title are interpreted by the slack when notification is sent, and allowing to mislead user.
What is the expected correct behavior?
Slack macros found in the MergeRequest title should be displayed 'as is', without interpreting them by slack. They should be properly escaped as described here https://api.slack.com/reference/surfaces/formatting#escaping .
Relevant logs and/or screenshots
Screenshot of such notification generated by above MR is here Przechwycenie_obrazu_ekranu_2021-08-18_17-36-32.png
Output of checks
This bug happens on GitLab.com
Results of GitLab environment info
This bug happens on GitLab.com
Impact
User that clicks the link without checking can be directed to site outside of scope of gitlab (either gitlab.com or personal gitlab instance).
This link that is usually treated as save may lead the client to any malicious site that could continue attack.
Possible impacts are:
- Further exploitation of the client (like attacks against browser, local network infrastructure and such)
- Misleading the user and convince to share login credentials
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: