Confidential issues & other sensitive information of the gitlab-org group leaking due to the feed token exposure of a gitlab employee.

HackerOne report #1622423 by albatraoz on 2022-07-01, assigned to @galfaro2:

Report | How To Reproduce

Report

Summary

A feed token is like an access token tied to a gitlab account & their authorization to access rss feeds. A merge request note is leaking a feed token of a gitlab employee who has developer access to the gitlab-org group & maybe other private internal groups too.

Steps to reproduce

  1. Visit !36553 (comment 384124309) & you can see that the gitlab employee is leaking their feed token REDACTED in the notes.

  2. Now visit the following URL in a new tab:

https://gitlab.com/groups/gitlab-org/-/issues.atom?confidential=true

You'd see that it returns no information as you are not a member of gitlab-org group.

  1. Now visit the same URL with the leaked feed token as follows:
https://gitlab.com/groups/gitlab-org/-/issues.atom?confidential=true&feed_token=REDACTED

You can see all the confidential issues of the gitlab-org leaking.

  1. You can access other private group issues/information too.
https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues.atom?feed_token=REDACTED

Impact

The impact is huge as using this token(which never expires) an attacker can snoop into confidential issues to find loopholes before they are patched to exploit it in the wild. Also a lot of sensitive information of the gitlab owned private & public repositories is being exposed.

Edited by Nick Malcolm