Missing warnings that GPG keys are exposing users verified email
HackerOne report #1335671 by joaxcar
on 2021-09-10, assigned to @ngeorge1:
Report | Attachments | How To Reproduce
Report
Summary
This might not be that much of an implementation problem rather than a documentation problem. The documentation for creating and using GPG keys for verifying commits fail to mention that any email used in a GPG will be publicly available (even for public users that does not have an account on the instance). The documentation for GPG keys on GitLab mentions that you have to use a verified email from your account:
One of the emails in the GPG key must match a verified email address used by the committer in GitLab.
and
Enter your real name, the email
address to be associated with this key (should match a verified email address you use in GitLab) and an optional comment
The site does not contain any warning that the public GPG key will expose this email. As a reference, GitHub has a note:
To keep your email address private, use your GitHub-provided no-reply email address. For more information, see "Verifying your email address" and "Setting your commit email address."
This kind of warning should be present in GitLab as well. As GitLab actually provides a "private" no-reply email for all users (see documentation) which does count as a verified email, this should be mentioned in the GPG instructions.
The problem is that public GPG keys contain the linked email address. And as this email is enforced to be a verified email on the user account, the risk is that a user adds its primary email without realizing that this will now be exposed publicly even for unauthenticated visitors. If a user is only contributing verified commits in a private project the user might use a regular email as the commits would be out of reach for non-members of the project. The GPG key is still displayed on the user's profile page for everyone to see.
As mentioned, this is how GPG works, so it's up to the users to decide if they want to expose their email. But the information should be clearly mentioned in the documentation. As the key is visible by unauthenticated visitors to the instance even if registration is restricted.
Steps to reproduce
- Log in as a user "user01"
- Add a GPG key following this guide: link
- Log out of gitlab
- Go to https://gitlab.domain.com/user01.gpg
- Save the key in a file on your local machine
- Run this command in a terminal
gpg --list-packets <FILE_PATH> | grep '@'
The email will be shown in the terminal
Impact
Users might accidentally revel their verified emails through public GPG keys
Examples
Test on my account key https://gitlab.com/joaxcar-test03.gpg
What is the current bug behavior?
There is no warnings about GPG keys reveling verified emails
What is the expected correct behavior?
The documentation should mention that adding a GPG key will break the privacy of the email used
Output of checks
This bug happens on GitLab.com
Impact
Missing warnings could lead to users accidentally reveling their verified emails through public GPG keys
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: