1-click account takeover via XSS in the code editor in gitlab.com
HackerOne report #2497024 by matanber
on 2024-05-09, assigned to @ottilia_westerlund:
Report
Summary
Like in every web-based VS Code instance, the web page for the GitLab Web IDE includes a "webWorkerExtensionHostIframe.html" file (hosted at https://gitlab.com/assets/webpack/gitlab-vscode/0.0.1-dev-20240501001436/vscode/out/vs/workbench/services/extensions/worker/webWorkerExtensionHostIframe.html) in an iframe. This iframe is responsible for running VS Code extensions, and it communicates with its parent window via postMessages. However, the postMessage listener in this iframe does not properly validate the origin of the messages which it receives. This allows a malicious site to include the webWorkerExtensionHostIframe.html
file in an iframe and interact with it as if it was the web page for the web IDE. This site can then instruct the extension host to load an arbitrary JS file as an extension, leading to arbitrary JS code execution in the https://gitlab.com
origin.
In order to exploit this issue, I logged all of the messages which are normally sent to the extension host by the page, and then modified the content of one of the messages which includes an object representing the URL of the JS file of the gitlab-ide
extension, and modified the object so that it represents the URL of a malicious JS file (https://peo.si/gl/editor/include.js). Then, I created a PoC page hxxps://peo.si/gl/editor/poc-frame.html
which simply sends all of the messages in the log file in sequence.
Steps to reproduce
- As the victim, log in to your account in gitlab.com.
- Navigate to
hxxps://peo.si/gl/editor/poc-frame.html
- Notice the API token which was logged in the console.
- Navigate to https://gitlab.com/-/user_settings/personal_access_tokens, and notice the malicious API token which was added to your account.
What is the current bug behavior?
The webWorkerExtensionHostIframe.html
file is hosted in the https://gitlab.com
origin.
What is the expected correct behavior?
The webWorkerExtensionHostIframe.html
file should be hosted in a unique sandbox origin. This is the behavior which exists in the vscode.dev and github.dev web-based VS Code instances.
Output of checks
This bug happens on GitLab.com
Impact
An attacker can take over a victim's GitLab account, with a single click from the victim.
How To Reproduce
Please add reproducibility information to this section: