Users can be searched by exact email match even if email is private
Summary
Extracted from https://gitlab.com/gitlab-org/gitlab/-/issues/29073#note_750601380
Currently system allows to search by exact match of private email. It creates a vulnerability were potential emails list can be asserted via API to find active profiles on gitlab.com and associate those emails with public profile information.
For example:
- Attacker has list of 100 possible emails one of them is
my_private_email@gitlab.com
. - Attacker requests GraphQL with
users(search: "my_private_email@gitlab.com")
and gets public information about my profile even if given email is private and not exposed on my profile page.
Solution proposal
Users shouldn't be searchable by their private emails even with exact match. That includes GraphQL searches, REST API searches and UI pages.
See more
Long original discussion: https://gitlab.com/gitlab-org/gitlab/-/issues/29073#note_722297169