Skip to content

Users can be searched by exact email match even if email is private

Summary

Extracted from https://gitlab.com/gitlab-org/gitlab/-/issues/29073#note_750601380

Currently system allows to search by exact match of private email. It creates a vulnerability were potential emails list can be asserted via API to find active profiles on gitlab.com and associate those emails with public profile information.

For example:

  1. Attacker has list of 100 possible emails one of them is my_private_email@gitlab.com.
  2. Attacker requests GraphQL with users(search: "my_private_email@gitlab.com") and gets public information about my profile even if given email is private and not exposed on my profile page.

Solution proposal

Users shouldn't be searchable by their private emails even with exact match. That includes GraphQL searches, REST API searches and UI pages.

See more

Long original discussion: https://gitlab.com/gitlab-org/gitlab/-/issues/29073#note_722297169