$35,000 Bounty: How Inappropriate Access Control Led to GitLab Account Takeover

$35,000 Bounty: How Inappropriate Access Control Led to GitLab Account Takeover

Karthikeyan Nagaraj Karthikeyan Nagaraj

Karthikeyan Nagaraj

Penetration Tester | Secured NASA, Oxford, Drexel, and 15+ Government Organisations | Co-Lead Defcon Local Chapter | Speaker

发布日期: 2025年3月2日
+ 关注

Introduction

In cybersecurity, vulnerabilities can arise from the most unexpected defects. A recent account takeover vulnerability via password reset without user interaction demonstrated how a simple access control flaw could lead to full account compromise.

In this article, we will explain how the vulnerability was identified, how attackers exploited it, and how developers can secure web applications from similar threats.

Timeline

  • Date Reported: December 20, 2023
  • Severity: Critical (10.0 CVSS)
  • Bounty Awarded: $35,000
  • Disclosed: February 26, 2025

What is Account Takeover via Password Reset?

Password reset-based account takeover occurs when attackers manipulate the password reset feature of an application to gain unauthorized access to a user’s account. This flaw is often caused by improper validation or missing authorization checks.

How the Vulnerability Worked

The vulnerability was found in GitLab’s password reset functionality. It allowed attackers to receive password reset links intended for victims by modifying the request payload.

Steps to Exploit

  1. Visit the Forgot Your Password? page...

Click Here to Read the Complete Article on Medium

#bugbounty #cybersecurity

要查看或添加评论,请登录

Karthikeyan Nagaraj的更多文章