Skip to content

Users' avatar disclosure by user ID in enterprise and public GitLab instances (IDOR)

HackerOne report #1753423 by nocasis on 2022-10-27, assigned to @nmalcolm:

Report | Attachments | How To Reproduce

Report

Summary

IDOR vulnerability allows downloading user avatars by their ID in enterprise and public GitLab instances without authorization which leads to privacy violations.

Vulnerable API request: https://gitlab.com/uploads/-/system/user/avatar/{user_id}/avatar.png
Steps to reproduce
  1. log in to your GitLab account and open the profile's user settings (https://gitlab.com/-/profile),
  2. upload an avatar for your profile,
  3. find your user ID in the profile settings (https://gitlab.com/-/profile) or on the main page with your profile activity (https://gitlab.com/{account_name}),
  4. perform the following request in any tool(curl/burp/python/any browser) with the specified user ID and without any cookie or token: https://gitlab.com/uploads/-/system/user/avatar/{user_id}/avatar.png,
  5. in the response you will see your avatar,
  6. change the user ID in a vulnerable request to get the avatar of another person.

Since https://gitlab.com is a public service, it's not really interesting. But this vulnerability exists in private(enterprise) GitLab instances.

Steps to reproduce in enterprise instances

To reproduce the bug, you need to have your own GitLab instance. You need to replace {company_domain} with your GitLab domain in the following instruction.

  1. iterate through user IDs (e.g. 1,2,3,...) with https://{company_domain}/uploads/-/system/user/avatar/{user_id}/avatar.png endpoint,
  2. in responses you will see:
    • avatars of users, which can be corporate photos of people,
    • or status code 404 if the user didn't specify the profile avatar,
    • or status code 404 if the user does not exist.
Impact

An attacker can iterate through user IDs and get their avatars without authorization even in enterprise GitLab instances.
This can lead to the following consequences:

  • An attacker can find more information about employees through their leaked avatars, primarily if photos were used and this is often the case in enterprise systems.
  • An attacker can find out the number of engineers in the company.
Examples

You can see my avatar with that link: https://gitlab.com/uploads/-/system/user/avatar/1323720/avatar.png

What is the current bug behavior?

We can see users' avatars without authorization by a direct link with a guessable user ID even in enterprise GitLab instances.

What is the expected correct behavior?

At least in enterprise GitLab instances, an attacker must not see any company's private information(number of people, their private avatars) without authorization.

Relevant logs and/or screenshots

Example of request and response with an avatar.
image.png

Impact

An attacker can iterate through user IDs and get their avatars without authorization even in enterprise GitLab instances.
This can lead to the following consequences:

  • An attacker can find more information about employees through their leaked avatars, primarily if photos were used and this is often the case in enterprise systems.
  • An attacker can find out the number of engineers in the company.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: