Ability to gain access to private project through an email invite by using other user's email address as an unverified secondary email
HackerOne report #1517554 by
vaib25vicky on 2022-03-21, assigned to @rshambhuni:
Member invitation by email address is vulnerable and allows user impersonation. When project admin invites a new member via email then Gitlab code match it with unverified email of different account. This gives an opportunity to an attacker to add legitimate member email address to his account and gain access to the private project.
Suppose there is company name
xyz.org, all projects of this company are only accessible to its employees, that is those Gitlab accounts that have email addresses that match
Attacker can add email address
firstname.lastname@example.org to his personal Gitlab account which is an unverified email address and then all invitation to the
email@example.com are actually goes to the attacker and he gains access to the private projects of the company.
- Attacker has a verified primary email address which he owns
- He adds another email address of the company employee
firstname.lastname@example.org his account .
This will be an unverified secondary email address
- Creates a project named
- Invites member to the project by email address
- Gitlab will not check whether email address is verified or not and incorrectly matches the invitation to the attacker account.
- Attacker successfully managed to impersonate a legitimate employee of the company and gain access to the private project and repository
Output of checks
This bug happens on GitLab.com. Probably instance too (please check)
Gitlab don't check verified email address prior to matching them with Gitlab accounts and this allows an attacker to gain access to private projects with higher permissions and impersonate legitimate members of the project.
How To Reproduce
Please add reproducibility information to this section: