GitLab: Login email verification bypass via `/oauth/token`.
Discription

Summary Hello team, I want to report a security issue on the GitLab authentication functionality. The email verification on login provides an additional layer of security despite 2FA not being implemented. This security measure is being triggered once the account has three or more failed sign-in attempts in 24 hours or a user attempts to sign in from a new IP address. Reference here Gitlab also supports another basic authentication which is the Resource Owner Password Credentials (ROPC) flow. It is where the user credentials(username and password) will be exchanged for an access token with full read and write scope on the endpoint /oauth/token. Just like the web authentication, there is also an implemented restriction on this endpoint to avoid any unauthorized authentication. For example, sending the token exchange request on the said endpoint from a new IP address will result to the following API error response: {"error":"invalid_grant","error_description":"The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."} However, this restriction is only being implemented if there is no active session on the account. I have discovered that it is possible to bypass this restriction. During my testing, the restriction on /oauth/token is being voided once the victim authenticates and completes the email verification regardless of the IP difference between the attacker and…Read More

Back to Main

Subscribe for the latest news: