Users' avatar disclosure by user ID in enterprise and public GitLab instances (IDOR)
HackerOne report #1753423 by nocasis
on 2022-10-27, assigned to @nmalcolm:
Report | Attachments | How To Reproduce
Report
Summary
IDOR vulnerability allows downloading user avatars by their ID in enterprise and public GitLab instances without authorization which leads to privacy violations.
https://gitlab.com/uploads/-/system/user/avatar/{user_id}/avatar.png
Vulnerable API request:Steps to reproduce
- log in to your GitLab account and open the profile's user settings (https://gitlab.com/-/profile),
- upload an avatar for your profile,
- find your user ID in the profile settings (https://gitlab.com/-/profile) or on the main page with your profile activity (
https://gitlab.com/{account_name}
), - perform the following request in any tool(curl/burp/python/any browser) with the specified user ID and without any cookie or token:
https://gitlab.com/uploads/-/system/user/avatar/{user_id}/avatar.png
, - in the response you will see your avatar,
- change the user ID in a vulnerable request to get the avatar of another person.
Since https://gitlab.com is a public service, it's not really interesting. But this vulnerability exists in private(enterprise) GitLab instances.
Steps to reproduce in enterprise instances
To reproduce the bug, you need to have your own GitLab instance. You need to replace {company_domain}
with your GitLab domain in the following instruction.
- iterate through user IDs (e.g. 1,2,3,...) with
https://{company_domain}/uploads/-/system/user/avatar/{user_id}/avatar.png
endpoint, - in responses you will see:
- avatars of users, which can be corporate photos of people,
- or status code 404 if the user didn't specify the profile avatar,
- or status code 404 if the user does not exist.
Impact
An attacker can iterate through user IDs and get their avatars without authorization even in enterprise GitLab instances.
This can lead to the following consequences:
- An attacker can find more information about employees through their leaked avatars, primarily if photos were used and this is often the case in enterprise systems.
- An attacker can find out the number of engineers in the company.
Examples
You can see my avatar with that link: https://gitlab.com/uploads/-/system/user/avatar/1323720/avatar.png
What is the current bug behavior?
We can see users' avatars without authorization by a direct link with a guessable user ID even in enterprise GitLab instances.
What is the expected correct behavior?
At least in enterprise GitLab instances, an attacker must not see any company's private information(number of people, their private avatars) without authorization.
Relevant logs and/or screenshots
Example of request and response with an avatar.
Impact
An attacker can iterate through user IDs and get their avatars without authorization even in enterprise GitLab instances.
This can lead to the following consequences:
- An attacker can find more information about employees through their leaked avatars, primarily if photos were used and this is often the case in enterprise systems.
- An attacker can find out the number of engineers in the company.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: