Takeover of `bb-vuln-stats-gitlab-com-gl-security-security-re-c25977bf1ada94.gitlab.io` GitLab Page

⚠ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2759470 by psycho_012 on 2024-10-04, assigned to GitLab Team:

Report | Attachments | How To Reproduce

Report

Summary:
I found a vulnerable GitLab page at https://bb-vuln-stats-gitlab-com-gl-security-security-re-c25977bf1ada94.gitlab.io/, which is referenced for Bug Bounty statistics in the GitLab Handbook,under the "Team Member Upskilling" section. I was able to take over the page and host a proof of concept (PoC).

Description:
While reviewing the GitLab Handbook, I found references to the GitLab page used for displaying Bug Bounty statistics by gitlab. The page is linked in the following resources:

• Vulnerable Page: https://bb-vuln-stats-gitlab-com-gl-security-security-re-c25977bf1ada94.gitlab.io/

• References in Handbook:

  • https://handbook.gitlab.com/handbook/security/product-security/product-security-engineering/runbooks/team-member-upskilling/#:~:text=identify%20a%20class%20of%20recurring%20issues%20from%20Bug%20Bounty%20Stats

    ![image.png](https://h1.sec.gitlab.net/a/343a1e11-2dad-4ca9-8f2f-0ae53844786e/image.png)

  • https://gitlab.com/gitlab-com/content-sites/handbook/-/blob/main/content/handbook/security/product-security/product-security-engineering/runbooks/team-member-upskilling.md#:~:text=identify%20a%20class%20of%20recurring%20issues%20from%20Bug%20Bounty%20Stats

    

I was able to take over this GitLab page and uploaded a proof of concept (PoC) file demonstrating the successful takeover.

• PoC URL: https://bb-vuln-stats-gitlab-com-gl-security-security-re-c25977bf1ada94.gitlab.io/-/testing/-/jobs/7991223316/artifacts/public/31253333125-21512512-21512512index.html

  

Recommendation:
Secure the vulnerable gitlab page https://bb-vuln-stats-gitlab-com-gl-security-security-re-c25977bf1ada94.gitlab.io/ by reclaiming it to prevent any unauthorized takeover.

Impact

If an attacker successfully takes over the bb-vuln-stats-gitlab-com-gl-security-security-re-c25977bf1ada94.gitlab.io page, they would gain the ability to perform the following actions:

• In GitLab, when internal links are shared publicly, they usually redirect to the GitLab login page or Google login page. An attacker can take over this Gitlab page and serve their own login page through this Gitlab Page, potentially compromising GitLab employee accounts.
• Inject malicious content that could be distributed to internal users.
• Modifying important resources linked from the page.
• An attacker can also serve stored Malware through this Gitlab Page, posing a threat to GitLab employees.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• image.png
• image.png
• image.png

How To Reproduce

Please add reproducibility information to this section: