Enforced group MFA can be bypassed with OAuth token with all the scopes

HackerOne report #1498133 by albatraoz on 2022-03-02, assigned to @kmorrison1:

Report | How To Reproduce

Report

Summary

A group owner can enforce the members of a group to enabled 2FA. This makes sure that the members of the group enable 2FA or else they are not able to access group or make any changes in the group & it's projects. But a member of the group can bypass this restriction by creating an OAuth token which still has access to the group's resources.

Steps to reproduce

1. As User A create a private group.
2. Invite User B as a developer in this private group.
3. Go to Settings -> General -> Permissions and group features -> Enable Require all users in this group to set up two-factor authentication
4. Change time before enforced as 0 hours.
5. Now login as User B & you will see that you are enforced to enable the 2FA or leave the group. Without leaving the group you are not allowed to access anything on gitlab UI.
6. Now open a terminal & run the following command with credentials of user B.

echo 'grant_type=password&username=<userB_username>&password=<userB_password>' > auth.txt  
curl --data "[@]auth.txt" --request POST "https://gitlab.com/oauth/token"  

The response would contain the access token.
7. Now use the access token we got from step 6 in the following command & replace the group id with the group created in step 1.

curl --header "Authorization: Bearer [OAUTH_TOKEN]" "https://gitlab.com/api/v4/groups/[GROUP_ID]"  

You will see that you are able to access the group details without enabling 2FA.

Impact

An attacker would be able to bypass the 2FA enforcement of a group & access confidential information & alter objects/resources using different OAuth scopes available for the token like writing to repository.

Proposal

Solution is proposed here.