this post was submitted on 02 May 2024
138 points (98.6% liked)

Programming

17117 readers
64 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities !webdev@programming.dev

founded 1 year ago
MODERATORS
snowe@programming.dev
Ategon@programming.dev
MaungaHikoi@lemmy.nz
138
Maximum-severity GitLab flaw allowing account hijacking under active exploitation (arstechnica.com)
submitted 5 months ago by mox@lemmy.sdf.org to c/programming@programming.dev
6 comments fedilink hide all child comments
all 7 comments
sorted by: hot top controversial new old
[–] solrize@lemmy.world 39 points 5 months ago

Somehow they let attackers send themselves password reset links to arbitrary Gitlab accounts, apparently. Not good.

[–] notnotmike@programming.dev 11 points 5 months ago (2 children)

A change was made in 16.1.0 to allow users to reset their password through a secondary email address. The vulnerability is a result of a bug in the email verification process. The bug has been fixed with this patch, and as mentioned above, we have implemented a number of preventive security measures to protect customers.

Struggling to figure out what the heck they did. Some kind of injection attack to send the email to an arbitrary account? How would you even mess that up in the first place

[–] corsicanguppy@lemmy.ca 2 points 5 months ago

It was leveraged as part of an auto responding email function as part of a ticket that, when used as a secondary email address, allowed a password reset chit to be viewed and then used to change the password on the account.

I remember this one.

But it was fixed months ago. We patch nightly because enterprise software lets you roll back easily.

[–] Lmaydev@programming.dev 1 points 5 months ago

If I had to guess I'd say the email address was sent as part of the request and not verified.

[–] Kissaki@programming.dev 10 points 5 months ago

A patch from January and MFA prevents account takeover.

If you're not updating gitlab for over three months, across max severity security patches, you're negligent.

[–] Mubelotix@jlai.lu 3 points 5 months ago

I had a friend whose instance was hacked only a few hours after the issue was disclosed. Bots had swarmed the internet in just a day