Total 2FA Bypass for Users

⚠️ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #3322714 by jcarre on 2025-09-01, assigned to GitLab Team:

Report | Attachments | How To Reproduce

Report

Summary

Hope this report finds you well!

There is a total 2fa bypass for users trying to secure their account with WebAuthn 2FA.

Specifically, first see the doc if you are not familiar with webauthn. Basically, it is a mechanism to secure one's account by checking "something you own", which is considered the highest level of security mechanism.

To use webAuthn, typically you need to buy a device that is specifically made to make secure authentication. For example, an industry-standard device is yubico. And with this device, you can just plug it into your computer, set up webauthn with it on gitlab.com follow the above doc. After setting up, the next time you log in, you must plug in the same device again to the computer to pass 2FA check.

However, there is a vulnerability in gitlab.com such that an attacker can bypass any 2FA check for account set up with webauthn with device like yubico.

==I want to stress that this vuln is not a vuln of Yubico or webauthn==. You would understand why this is the case in the next section.

Steps to reproduce

For H1 triager, you must have a device like yubico to test webauthn, and you must have at least 2 yubico to reproduce. This is simply how webauthn works, and there is no workaround. If you do not have such devices, please pass this report to Gitlab or any triager with such a device in order to reproduce.

Due to the nature of webauthn, you can try to perform any of the following step on the same or different computers (like have victim account on one computer and attacker account on another computer). I have tested it on both same and different computers, and it works the same.

  1. Use Victim's account, set up 2FA with WebAuthn following the doc and enable 2FA with one Yubico.
  2. Use Attacker's account, set up 2FA with WebAuthn following the doc and enable 2FA with ==another== Yubico.
  3. Unplug any Yubico, and do the following things on behalf of ATTACKER.
  4. Try to login with Attacker account by entering the password. It will ask for 2fa. DO NOT plug in Yubico or click any where. Instead, refresh the page, which should have a URL like https://gitlab.com/users/sign_in. If after refresh it shows the same page asking for 2fa, then try to navigate to https://gitlab.com/users, it should redirect you to sign in.
  5. Now, enter the email and password of victim (Since this vuln is bypassing 2FA, it is assumed that attacker already knows the victim password). You will find 2FA is bypassed.

Video PoC

Impact

Simply critical. Account set up with 2FA by Webauthn means to have the highest security. And a simple bypass like this is critical in term of severity.

Thanks for reviewing my report!

Best,
Rogerace

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section:

3.

Edited by Bogdan Denkovych