Skip to content

Email Notifications not being sent on important security event like disabling 2FA

HackerOne report #476268 by rgupt on 2019-01-08, assigned to asaba:

Summary: Gitlab does not sends an email notifications to users when important security events occur like when a user disables 2FactorAuthentication. It's extremely important to notify users on important security events like this and all the major sites does this like Github, Hackerone etc..

The purpose of sending these email notifications is because, if the user's sessions is compromised due to an XSS Attack or Browser Hijacking, the hacker can silently disable user's 2Factor Authentication and the victim might not even realize that their 2Factor Authentication was disabled. Hacker can then continue to perform further damages to the victim's account.

Steps To Reproduce:

  1. Login to Gitlab with an account which has 2FA enabled.
  2. Navigate to Settings -> Account Page and click on the button to Disable two-factor authentication.
  3. Check if there is an email sent to the Victim when the 2FA is disabled. Gitlab does not sends any email to users when the 2FA was disabled.
  4. Navigate to Settings -> Authentication Log Page. As per Gitlab's documentation, it is mentioned that Authentication Log is a security log of important events involving your account. However even in this section, there is no log added indicating that the 2FactorAuthentication was disabled.

2FA_Disabled_2.PNG

When I tried the same steps on Github, it notifies the users when 2FA was disabled. Please check this screenshot: 2FA_Disabled_Github.PNG

Impact

If Victim's session is compromised due to an XSS attack, hacker can silently disable user's 2Factor Authentication and can cause further damages in the future.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!