IdentitiesController allows linking of arbitrary unclaimed provider identities
Summary
The IdentitiesController introduced as part of a security fix allows to bind extern_uids for arbitrary providers.
This issue was even discussed in the MR however it was not deemed impactful enough to be prevented.
The reasoning in the original security MR was along the lines of:
the errant identity would actually open their own account up to compromise
However this issue can be used to pre-occupy extern_uids so as an attacker I would create a dedicated account on gitlab.com and bind a target extern_uid e.g. with the google_oauth2 provider to that account. When now the owner behind the extern_uid tries to sign up with Google
it will end up in the pre-occupied account and maybe not even realize that this is not a newly created account, while the attacker still has access to it.