Bypassing GitHub restricted rooms by going through the GitHub OAuth upgrade process a Twitter/GitLab user

HackerOne report #723997 by giddsec on 2019-10-28, assigned to @jeremymatos:

Summary

I found that https://gitter.im/login/upgrade?scopes=repo makes non-GitHub users to bypass GitHub restricted rooms. But Allow private repo access option only allowed for GitHub users, but by accessing https://gitter.im/login/upgrade?scopes=repo through non-GitHub accounts will make those non-GitHub accounts to be recognize as a GitHub account.

This vulnerability resulting non-GitHub accounts to bypass GitHub restricted rooms.

Based on Gitter oauth-scopes documentation.
oath-scope.PNG
Means that non-GitHub users have _gitlab & _twitter suffix, that's why they should not be allowed to join GitHub restricted rooms

Steps to reproduce

You need 2 accounts:

  • GitHub account
  • non-GitHub account (GitLab/Twitter)

& must be on the same browser

First Step:

  1. Login your GitHub account on Gitter.im
  2. On your top right corner, there is a drop down menu, click Allow private repo access
  3. You will be redirected to https://gitter.im/login/upgrade?scopes=repo then click Upgrade
  4. Then click authorize, and you will be redirected to Gitter.im
  5. Click Logout on Gitter. (Stay logged in on GitHub).

Second Step:

  1. On the same browser, Login your non-GitHub account on Gitter.im (GitLab/Twitter).
  2. On Gitter, as a twitter account you don't have Allow private repo access option.
  3. Go to https://gitter.im/login/upgrade?scopes=repo then click upgrade.
  4. You will be redirected to Gitter.im

Third Step:

  1. Go to your Only GitHub users are allowed to join enabled room.
  2. Add the non-GitHub account, now it's Bypassed

Once the non-GitHub user did the 1st and 2nd step, that non-GitHub user can now join any GitHub restricted rooms.

Demonstration of the vulnerability:

REDACTED

Output of checks

This bug happens on Gitter.im

Impact

If that non-GitHub user did this bypass, that non-GitHub user now able to bypass any GitHub restricted rooms.

Because Only GitHub users are allowed to join this room enabled rooms supposedly blocking non-GitHub users from joining.

Attachments

REDACTED

Edited by Jeremy Matos