Ability to gain access to private project through an email invite by using other user's email address as an unverified secondary email
HackerOne report #1517554 by vaib25vicky on 2022-03-21, assigned to @rshambhuni:
Report
Description
Member invitation by email address is vulnerable and allows user impersonation. When project admin invites a new member via email then Gitlab code match it with unverified email of different account. This gives an opportunity to an attacker to add legitimate member email address to his account and gain access to the private project.
Attack Scenario
Suppose there is company name xyz.org, all projects of this company are only accessible to its employees, that is those Gitlab accounts that have email addresses that match <employee_name>[@]xyz.org.
Attacker can add email address john@xyz.org to his personal Gitlab account which is an unverified email address and then all invitation to the john@xyz.org are actually goes to the attacker and he gains access to the private projects of the company.
PoC
Attacker account
- Attacker has a verified primary email address which he owns
- He adds another email address of the company employee
john@gitlab-bounty.comin his account .
This will be an unverified secondary email address
Victim account
- Creates a project named
Gitlab-Bounty - Invites member to the project by email address
john@gitlab-bounty.com
Bug
- Gitlab will not check whether email address is verified or not and incorrectly matches the invitation to the attacker account.
- Attacker successfully managed to impersonate a legitimate employee of the company and gain access to the private project and repository
Output of checks
This bug happens on GitLab.com. Probably instance too (please check)
Impact
Gitlab don't check verified email address prior to matching them with Gitlab accounts and this allows an attacker to gain access to private projects with higher permissions and impersonate legitimate members of the project.
How To Reproduce
Please add reproducibility information to this section: