Team IT Security (TSEC) Nachrichtenportal Logo

🔧 $35,000 Bounty: How Inappropriate Access Control Led to GitLab Account Takeover


Nachrichtenbereich: 🔧 Programmierung
🔗 Quelle: dev.to

Introduction
In cybersecurity, vulnerabilities can arise from the most unexpected defects. A recent account takeover vulnerability via password reset without user interaction demonstrated how a simple access control flaw could lead to full account compromise.

In this article, we will explain how the vulnerability was identified, how attackers exploited it, and how developers can secure web applications from similar threats.

Timeline
Date Reported: December 20, 2023
Severity: Critical (10.0 CVSS)
Bounty Awarded: $35,000
Disclosed: February 26, 2025

What is Account Takeover via Password Reset?
Password reset-based account takeover occurs when attackers manipulate the password reset feature of an application to gain unauthorized access to a user’s account. This flaw is often caused by improper validation or missing authorization checks.

How the Vulnerability Worked
The vulnerability was found in GitLab’s password reset functionality. It allowed attackers to receive password reset links intended for victims by modifying the request payload.

Steps to Exploit
Visit the Forgot Your Password? page...

Click Here to Read the Complete Article on Medium -

Karthikeyan Nagaraj

$35,000 Bounty: How Inappropriate Access Control Led to GitLab Account Takeover | by Karthikeyan Nagaraj | Mar, 2025 | Medium

Karthikeyan Nagaraj ・
Medium Logo cyberw1ng.Medium

...

Sharing is caring on Social Media

Reddit
Telegram
LinkedIn
Xing
Twitter
Whatsapp
Facebook
Flipboard

🔧 $35,000 Bounty: How Inappropriate Access Control Led to GitLab Account Takeover


📈 76.9 Punkte
🔧 Programmierung

📰 2.000.000.000.000.000.000.000.000.000.000.000.000 Rubel Strafe gegen YouTube


📈 50.18 Punkte
📰 IT Nachrichten

📰 IDOR User Account Takeover By Connecting My Facebook Account with victims Account


📈 29.59 Punkte
📰 IT Security Nachrichten

📰 Microsoft Awarded $50,000 Bug Bounty For Account Takeover


📈 29.34 Punkte
📰 IT Security Nachrichten

📰 Microsoft Pays $50,000 Bounty for Account Takeover Vulnerability


📈 29.34 Punkte
📰 IT Security Nachrichten

📰 Kentucky University Facebook account hacked to post inappropriate photos of Woman


📈 28.17 Punkte
📰 IT Security Nachrichten

📰 A great deal of employees have inappropriate access to sensitive data


📈 25.95 Punkte
📰 IT Security Nachrichten

🕵️ BingBang: The AAD misconfiguration that led to Bing.com results manipulation and account takeover explained | Wiz Blog


📈 25.93 Punkte
🕵️ Reverse Engineering

🕵️ TikTok fixed security issues that could have led one-click account takeover


📈 25.93 Punkte
🕵️ Hacking

📰 Facebook Fixes Vulnerability That Led to Account Takeover, Pays Researcher $16K


📈 25.93 Punkte
📰 IT Security Nachrichten

📰 Facebook Fixes Vulnerability That Led to Account Takeover, Pays Researcher $16K


📈 25.93 Punkte
📰 IT Security Nachrichten

🕵️ How a Cross-Site Scripting Vulnerability Led to Account Takeover


📈 25.93 Punkte
🕵️ Hacking

🕵️ How Inadequate Authentication Logic Led to an MFA Bypass and Account Takeover


📈 25.93 Punkte
🕵️ Hacking

🕵️ How Inadequate Authentication Logic Led to an MFA Bypass and Account Takeover


📈 25.93 Punkte
🕵️ Hacking

🕵️ How a Cross-Site Scripting Vulnerability Led to Account Takeover


📈 25.93 Punkte
🕵️ Hacking

🕵️ How a Cross-Site Scripting Vulnerability Led to Account Takeover


📈 25.93 Punkte
🕵️ Hacking

📰 Tesla Retail Tool Vulnerability Led to Account Takeover


📈 25.93 Punkte
📰 IT Security Nachrichten

🕵️ Microsoft fixed Azure AD bug that led to Bing.com results manipulation and account takeover


📈 25.93 Punkte
🕵️ Hacking

📰 Over 5,300 GitLab servers exposed to zero-click account takeover attacks


📈 25.71 Punkte
📰 IT Security Nachrichten

🎥 gitlab account takeover vulnerability | CVE-2023-7028 PoC


📈 25.71 Punkte
🎥 IT Security Video

📰 Simple password resets could result in an account takeover due to a GitLab vulnerability


📈 25.71 Punkte
📰 IT Security Nachrichten

📰 Week in review: GitLab account takeover flaw, attackers exploiting Ivanti Connect Secure zero-days


📈 25.71 Punkte
📰 IT Security Nachrichten

📰 Critical GitLab flaw allows account takeover without user interaction, patch quickly! (CVE-2023-7028)


📈 25.71 Punkte
📰 IT Security Nachrichten

📰 Critical Account Takeover Vulnerability Patched in GitLab Enterprise Edition


📈 25.71 Punkte
📰 IT Security Nachrichten

📰 GitLab Issues Security Patch for Critical Account Takeover Vulnerability


📈 25.71 Punkte
📰 IT Security Nachrichten

🕵️ ZEIT: Gitlab Oauth Misconfiguration Lead To Account Takeover


📈 25.71 Punkte
🕵️ Sicherheitslücken

🕵️ ZEIT: Gitlab Oauth Misconfiguration Lead To Account Takeover


📈 25.71 Punkte
🕵️ Sicherheitslücken

🕵️ GitLab Releases Critical Patch for XSS, DoS, and Account Takeover Bugs


📈 25.71 Punkte
🕵️ Hacking

📰 GitLab XSS Vulnerability Could Allow Account Takeover


📈 25.71 Punkte
📰 IT Security Nachrichten

📰 CISA says GitLab account takeover bug is actively exploited in attacks


📈 25.71 Punkte
📰 IT Security Nachrichten

📰 5379 GitLab servers vulnerable to zero-click account takeover attacks


📈 25.71 Punkte
📰 IT Security Nachrichten

📰 GitLab fixed a critical flaw in GitLab CE and GitLab EE


📈 25.48 Punkte
📰 IT Security Nachrichten

🎥 Gitlab Demystified : Part - 1 :- Introduction to Gitlab & Gitlab Runners


📈 25.48 Punkte
🎥 IT Security Video

🔧 How to set up on-prem Gitlab VCS, Gitlab CI/CD, Gitlab Runner, with Docker


📈 25.48 Punkte
🔧 Programmierung

🕵️ GitLab: Information Disclosure - Pvt Gitlab Issue Disclosing Through GitLab Unfiltered YouTube channel.


📈 25.48 Punkte
🕵️ Sicherheitslücken

matomo