GitLab patches API flaw that exposed private group data

GitLab private projects that were formerly public could have been accessed through search APIs

An ethical hacker has been awarded $3,000 (£2,300) for disclosing a security vulnerability that could have lead to the exposure of private GitLab groups.

Solutions architect Riccardo Padovani first encountered the vulnerability in November 2019. He promptly informed GitLab to the fact that private projects which were formerly public could have been accessed by other parties through vulnerable search APIs.

Although the issue was disclosed almost a year ago, the report was only made public on 6 October.

As explained by Padavani on the bug bounty platform HackerOne: "Alice creates the public group 'Example', and a public project named 'Example-project' inside the group. In the readme of the project, Alice writes 'Example'. Now, Alice creates a private group called 'private', and transfers all the 'Example' group to the 'private' group.

'If Bob (totally unrelated to Alice) searches for 'Example' instance-wide, he will not find anything [... but if he] uses APIs, he will receive the results back with the information that should be private,” he wrote, adding that the issue only arises when entire groups are transferred, as opposed to single projects.

GitLab software security expert Jeremy Matos verified this finding and escalated the issue to GitLab’s engineering team. The DevOps tool patched the vulnerability in GitLab version 12.5.4  and awarded Padavani with $3,000 for disclosing it.

Bug bounty hunting, which is a form of ethical hacking that focuses on finding and disclosing security issues, is becoming an increasingly popular source of income for security experts.

In August, it was reported that Microsoft paid out $13.7 million (roughly £10.5 million) across 15 bounty programmes during the previous 12 months, more than three times the amount paid out to researchers in the same period during 2018/19. The company rewarded 327 researchers for identifying bugs and flaws in Microsoft software, with 1,226 eligible vulnerability reports being filed during the period. The biggest single reward was $200,000.

CREST chairman Ian Glover previously told IT Pro that "the demand for high-quality individuals working for professional companies far outstrips supply."

"The UK is seen as one of the leaders in this area and the opportunity to work on international projects is increasing every day,” he said, adding that a registered level professional would expect to earn in the region of £55,000 and a team leader could be looking at more than £90,000.

Featured Resources

Next-generation time series: Forecasting for the real world, not the ideal world

Solve time series problems with AI

Free download

The future of productivity

Driving your business forward with Microsoft Office 365

Free download

How to plan for endpoint security against ever-evolving cyber threats

Safeguard your devices, data, and reputation

Free download

A quantitative comparison of UPS monitoring and servicing approaches across edge environments

Effective UPS fleet management

Free download

Recommended

BillQuick billing software exploit lets hackers deploy ransomware
Security

BillQuick billing software exploit lets hackers deploy ransomware

26 Oct 2021
Ransomware hit industrial sector the hardest in the third quarter
ransomware

Ransomware hit industrial sector the hardest in the third quarter

25 Oct 2021
Tesco services knocked offline after suspected cyber attack
hacking

Tesco services knocked offline after suspected cyber attack

25 Oct 2021
Microsoft touts new cyber security help for nonprofits
cyber security

Microsoft touts new cyber security help for nonprofits

22 Oct 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Royal Mint to recover gold from smartphones and laptops in world first
Technology

Royal Mint to recover gold from smartphones and laptops in world first

21 Oct 2021