**[HackerOne report #454335](https://hackerone.com/reports/454335)** by bubbounty on 2018-12-03: **Summary:** Bypass of the email checks when a user add an email to his profile **Description:** When a user wishes add emails to his account, some checks are carried out ( is the email a valid email ?, is the email already taken ?, etc ...). Below is a simple way to bypass these checks and by hence to usurp all gitlab user's emails. ## Steps To Reproduce: Just add an e-mail and intercept the request with a proxy tool such as Burp Suite. You will have to change the **email[email]**. Here is an exemple (take note that the **@** character for the email in bcc is double-encoded):  After that, indicate this new email as the public one on your profile and the result will be as follow:  Additionnaly, you can obtain strange results as showed bellow :  ## Impact Public email address should be in a status **verified** before to be usable. The new email regex check should be more restrictive. By this way, a bad guy can usurp other email addresses, already existing on the system. ## Attachments **Warning:** Attachments received through HackerOne, please exercise caution! * [mail3.png](https://h1.sec.gitlab.net/a/454335/384849/mail3.png) * [mail2.png](https://h1.sec.gitlab.net/a/454335/384847/mail2.png) * [mail1.png](https://h1.sec.gitlab.net/a/454335/384846/mail1.png)