Skip to content
Snippets Groups Projects

Security Issue in omniauth when using github login

Created by: ismailovic

  1. Summary: Users can login with admin rights to GitLab when using GitHub-Login because they can change the email in GitHub.
  2. Steps to reproduce:
    • Step 1 Change your email on GitHub to "admin@yourdomain.com" -- (I asume that this email is the email of your administrator in the GitLab installation.
    • Login on http://yourdomain.com with your GitHub user -- (I asume that gitlab is installed on this domain, and omniauth using github is activated)
    • Now you should have admin privileges in your gitlab on http://yourdomain.com
  3. Expected behavior: The omniauth login with GitHub should login with the same account, even if I change the Email in GitHub. I should be able to change my email in GitHub and still log-in to GitLab.
  4. Observed behavior Every time when I change the email in GitHub, I can login with a different user name. When I use a new email on GitHub that GitLub does not know, then I cannot login. And if I change my email in GitHub that matches the email of the Administrator, I can have admin rights in GitLab.
  5. Relevant logs and/or screen shots: NO SCREENSHOTS
  6. Output of checks NO OUTPUT
  7. Possible fixes: The login with omniauth when using github should not only check the email for authentication, but also some ID or anything that cannot be changed and is unique for each user.