Skip to content

Private email address of service desk issue creator disclosed via /api/v4/projects/{project_id}/issues?iids[]={issue_id}

Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #1933829 by ricardobrito on 2023-04-04, assigned to GitLab Team:

Report | Attachments | How To Reproduce

Report

Background

Service Desk allows non members of a project to create issues on a project by sending an email address to the service desk email assigned to a particular project.

Recently in Gitlab 15.9, the following was introduced:

Redact Service Desk email addresses in issues: GitLab Service Desk makes it easy to interact with customers and provide support. To ensure that customer email addresses are kept private, you now need to have at least the Reporter role in a project or group to see the sender address of a Service Desk issue. This applies to both public and private projects.

The documentation says that only signed-in users with at least reporter role for the project are allowed to view the email of the creator of the service desk issue.

Summary

I have found that a user with guest role on a project, is capable of leaking the redacted email address of the sender (creator of the issue), through the following api endpoint: http://your-instance.com/api/v4/projects/:id/issues

The user email is leaked in the field service_desk_reply_to.

Pre-requisites

In order to test this functionality, you need to set up service desk for your instance, such that your projects can have a service desk email. The instructions to set this up can be found in the Gitlab documentation

Steps to reproduce
  1. As user A, create a project, and inside the project go to settings->general->service desk and enable it for this project.
  2. Still inside step 1, take note of the email which users will use to create confidential issues on your project, e.g. in my poc the email is gitlabhackerone+admin-group-admin-project-31-issue-[@]gmail.com.
  3. Invide a guest user, say user B to your project with the guest role.
  4. Now send an email to gitlabhackerone+admin-group-admin-project-31-issue-[@]gmail.com.
  5. If you reload the issues of the projects, you will see that a new issue was created with the title set as the subject of the email sent in step 5 and the description set with the body of the email from step 5.
  6. This issue is confidential by default. Change it to public (according to the documentation, even public issues CANNOT have the sender's email leaked).
  7. Access the issue as user B, you will be able to see the issue, however the email will be redacted:

Screenshot_2023-04-04_at_8.44.16_PM.png
8. So far so good, but now as the guest user, generate an api access token and make the following request (I use postman), but the curl command would be:
curl -sk -H "PRIVATE-TOKEN: YOUR-TOKEN" http://127.0.0.1:3000/api/v4/projects/:ID/issues
In which YOUR-TOKEN would be the guest user's token and ID would be the project id and the result will contain the email of the user who sent the email that automatically created the issue leaked in the service_desk_reply_to field.

POC video:

user-email.leaked.mov

Instance details

This bug happens on your-gitlab-instance, and it was tested on the latest Gitlab version.

Impact

A guest user can leak the email address of the creator of a confidential service desk issue .

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: