GitLab has patched a serious authentication vulnerability that enabled any user to take over another user’s account with two-factor authentication enabled.
The vulnerability was a result of the way that GitLab’s authentication flow produced one-time passwords for accounts with 2FA enabled. An attacker who knows a victim’s username and can capture network traffic could sign in to the victim’s account without knowing the victim’s password. The researcher who discovered the vulnerability reported it to GitHub through the HackerOne platform, and GitLab fixed it within two days.
“When a user has 2FA enabled, it’s possible to sign in as that user without the need to know its password. To reproduce this attack, you need two users that both have 2FA enabled. For the sake of this PoC, lets call them Jane and John. Jane is the attacker and wants to get access to John’s account. John his username is john
. Jane knows John’s username,” the vulnerability report from researcher Jobert Abma says.
To execute the attack, Jane would sign in to her account on GitLab, which sets her user ID in the background. She then sends her 2FA code and monitors her network traffic to intercept the request and the 2FA token. The 2FA token is a six-digit number and the vulnerability allowed the attacker to send a valid token for another user’s account.
“This issue originates from the find_user
method in the SessionsController
. It returns a User
object in two different ways: the first returns the object based on params[:login]
parameter. The second one if sessions[:otp_user_id]
. The params[:login]
parameter takes precedence over the ID stored in the session. This means that if the params[:login]
is specified in the request when the 2FA code needs to be verified, a different user can be selected to verify the code against,” Abma’s report says.
GitLab Inc. is a private company based on the GitLab project and allows developers to test and share code.