Oauth Web Application Flow vulnerability
HackerOne report #743556 by peet86
on 2019-11-21, assigned to @jeremymatos:
NOTE! Thanks for submitting a report! Please replace all the (parenthesized) sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report!
Summary
Authentication via Oauth2 Web application flow grants authorization code for non(email)verified users.
Gitlab doesn't care about the user's verification state, authorizes Oauth requests without checking the authenticity of the user's primary identifier (email).
- One can enter a non existing email address while sign up on Gitlab.com. (correct)
- At this point the user has a Gitlab account logged in on gitlab.com. The gitlab user is not yet (email) verified though. (correct)
- When the user requests Oauth authorization from a web application Gitlab authorizes it and claims the user is real. (vulnerability)
- After the redirect the Web application the user receives the authorization code without any warning, status. (vulnerability)
Steps to reproduce
- Start an Oauth Web Application Flow in an incognito window (no active gitlab sessions) from a previously registered oauth application.
- Register a new Gitlab account with a non existing / fake email https://gitlab.com/users/sign_in
- Gitlab authorizes the Oauth authorization request and returns with the authorization code.
Impact
-
Gitlab Oauth authorizes non verified. possibly fake users with (possibly fake) email addresses.
Eg. random@random.com, tim@apple.com -
Gitlab claims tim@apple.com or random@random.com are valid users and returns with the email addresses when scope=read_user+profile requested from a web app. (after the succesful authorization).
-
Gitlab as Oauth Provider compromises millions of web applications around the world. The vulnerability affects all Oauth clients which are trusting Gitlab as a social authentication provider. Many of these web applications expecting that Gitlab authorization fails with non-verified users and does not allow api access for user with possibly fake unique identifiers (email addresses).
Examples
Not project related. Please just follow the steps above.
What is the current bug behavior?
Oauth authorization SUCCESS.
What is the expected correct behavior?
When a primary email address for a user account has not been verified, Oauth authorization should FAIL.
Similar Oauth flow on Github.com and many other Oauth providers fail. With those providers it's not possible to use not yet verified accounts for Oauth flows.
Relevant logs and/or screenshots
-
- F640441
- After click on Authorize the Oauth client app receives authorization code as query string.
Output of checks
This bug happens on GitLab.com
Results of GitLab environment info
This bug happens on GitLab.com
Impact
Please read Impact section in the description.
Also please note while this is not necessarily a security leak for Gitlab, many different type of account hijacking is possible in other Oauth dependent web applications which are trusting Gitlab as an Oauth Provider. Eg:
- The attacker registered with tim@apple.com on gitlab.com could hijack a user account which belongs to the real owner of tim@apple.com in a web application where social accounts are connected with (verified)email + password accounts.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!