Skip to content

Leaking emails of newly created users

Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #1884672 by shells3c on 2023-02-23, assigned to @fvpotvin:

Report | How To Reproduce

Report

Summary

A Gitlab error message leaks user's email address in ee/app/models/ee/member.rb:

    def email_not_verified  
      _("email '%{email}' is not a verified email." % { email: user.email })  
    end

The error message only appears when you invite an unverified user to the group that restricts membership by email domain, which means only users who haven't verified their email are affected by this vulnerability, very unlikely to happen as users have to verify their email addresses to can log in. However, a possible attack scenario here is that the attack happens in between the sign-up and the confirmation, which I think usually only lasts some minutes. But it's exploitable because GitLab allows you to fetch latest users (by creation time), just a simple API query is enough to do this: GET /api/v4/users. So the script here is that the attacker automatically and continuously fetches new users from the API, feeds it to the Invite member API and collects the emails from error messages.

Steps to reproduce

Note: You will need a Gitlab Enterprise server or a Premium Plan on gitlab.com (you can sign-up for a trial)

  1. Create a new user and don't confirm the email yet, remember the username
  2. Create a group, go to Settings > General > Restrict membership by email domain and add a random domain that doesn't exist
  3. Now go to Group information > Members, click Invite members and enter the username from step 1
  4. After clicking Invite, an error message will be returned with the email address

Steps to reproduce the real-life attack scenario (on gitlab.com):

  1. After creating a Premium group, go to Group information > Members, click Invite members
  2. Click the input box under Username or email address, after a few seconds of loading, a list of suggested users will appear, choose the user on top of them
  3. Click Invite and you will have a chance of revealing that user's email
  4. If The member's email address is not allowed for this group is the only error message you get, try again and after several failed attempts, you will get at least one successful attempt
Output of checks

This bug happens on GitLab.com

Impact

Collecting email addresses from Gitlab

How To Reproduce

Please add reproducibility information to this section: