Revealing members full Info of a private group as unauthorized user
HackerOne report #2306492 by 0x777
on 2024-01-07, assigned to @ngeorge1:
Report | Attachments | How To Reproduce
Report
NOTE! Thanks for submitting a report! Please note that initial triage is handled by HackerOne staff. They are identified with a
HackerOne triage
badge and will escalate to the GitLab team any. Please replace all the (parenthesized) sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report!
Summary
(Summarize the bug encountered concisely)
Hi team ,
I was navigating a private project - https://gitlab.com/jasramrajame/govindbabu/
When I go to see that project members then I found that project also have a group
But I try to navigate that group then I found It's private group [ and gitlab using proper protection for making him hidden ]
see here -
According to Gitlab -
Private means private. Unless you are a member of the private group or project, you can't see any information about it.
Steps to reproduce
Please follow my steps to reproduce this issue -
(1. navigate this public project - https://gitlab.com/jasramrajame/govindbabu/
(2. see this public project have no member only owner but have one private group
![image.png](https://h1.sec.gitlab.net/a/77c77563-3825-4c84-a3c6-58521d7083e6/image.png)
(3. unauthorized user I was not even reveal private group name [ well protected by gitab -all hidden ]
(4. now run this query on your browser - https://gitlab.com/jasramrajame/govindbabu/-/autocomplete_sources/members?type=Issue&type_id=2
(5. see there members info of that hidden private group
Here - Attacker got all members info from private group -
..........................................................................................................................................................................................................................................................
[
{
"type": "User",
"username": "chotebabu",
"name": "ram pal",
"avatar_url": "https://secure.gravatar.com/avatar/fe6d039aac1c66d73ec151339d238a89?s=80&d=identicon",
"availability": null
},
{
"type": "User",
"username": "dpar356",
"name": "Daniel Park",
"avatar_url": "https://secure.gravatar.com/avatar/afd78fecd0d2fb936c23d9366d0fc39a?s=80&d=identicon",
"availability": null
},
{
"type": "User",
"username": "jasramrajame",
"name": "Jasram",
"avatar_url": "https://secure.gravatar.com/avatar/059d853dd59259018cb99253f88b39b3?s=80&d=identicon",
"availability": null
},
{
"type": "User",
"username": "marcolanchester100",
"name": "Marco Lanchester",
"avatar_url": "https://secure.gravatar.com/avatar/c419f6799e59a39776d7efdb913e291f?s=80&d=identicon",
"availability": null
},
{
"type": "User",
"username": "panh19032003",
"name": "Anh Pham",
"avatar_url": "https://secure.gravatar.com/avatar/5b5429cfe04403c67e70328d892936d2?s=80&d=identicon",
"availability": null
},
this includes all private groups groups members info ]
.............................................................................................................................................................................................................................................
this bug happens to -https://gitlab.com
Impact
here Attacker can disclose all private groups informations [ like their members, ] Even Gitlab made hidden from gitlab Ui [ showing private text for an unauthorized user ]
Also abusing Gitlab private policy -According to gitlab
Private means private. Unless you are a member of the private group or project, you can't see any information about it.
thanks
[@]riuok
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
- image.png
- image.png
- image.png
- image.png
- Screenshot_(1159).png
- image.png
- image.png
- image.png
- Screenshot_(1166).png
How To Reproduce
Please add reproducibility information to this section: