this post was submitted on 28 Jan 2024
355 points (99.2% liked)

Technology

59137 readers
2342 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
355
Over 5,300 GitLab servers exposed to zero-click account takeover attacks (www.bleepingcomputer.com)
submitted 9 months ago by [email protected] to c/[email protected]
50 comments fedilink hide all child comments
top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 29 points 9 months ago (2 children)

Check gitlab-rails/production_json.log for HTTP requests to the /users/password path with params.value.email consisting of a JSON array with multiple email addresses.

Jesus Christ. Their frontend was sending a list of recipients to the backend. That's an intern developer level of fuck up, in their login system, no less.

If this got past them, it's a sign of deep problems.

[–] [email protected] 5 points 9 months ago (2 children)

Can you explain in a bit more detail what you understand was happening?

[–] [email protected] 24 points 9 months ago

Gitlab has a backend, which runs on a server, and a frontend, which runs in all the user's browsers. When the user does anything it sends some network requests to the backend in order to save the changes the user has made, send the necessary emails or create a session, etc.

The thing with this architecture is the backend and frontend are effectively separate apps. Also as the frontend is running remotely on the attacker's computer the attacker can change it to behave however they want. The backend can't trust the frontend to "do the right thing", ever. The backend needs to assume the frontend will do every bad and silly thing possible, and treat anything coming from the frontend with maximum suspicion.

So you simply can't allow the frontend code to provide a list of email addresses to send an email to, because it'll allow the attacker to send emails to anywhere. Where the email goes to needs to be determined by the backend. The frontend should only be concerned with hiding and showing stuff in the UI, and pretty much all intelligence and business logic needs to reside on the server where we control the code and environment. A good understanding of the roles and responsibilities of the front vs back is a fundamental concept and if the developer hasn't grasped this then they're going to introduce security problems everywhere they go.

This is one of many pitfalls of the "frontend + backend" architecture. I vastly prefer to build monoliths instead.

[–] [email protected] 6 points 9 months ago (1 children)

Not the commenter but it seems like the parameters of the HTTP Get/Post weren't protected/checked. The API was likely something like: Email to reset: string(email account to reset) But it accepted something like: [string(email account to reset), string (email to which the reset mail is sent to)]

[–] [email protected] 1 points 9 months ago* (last edited 9 months ago) (1 children)

Little Bobby Tables? Or would that be an XHR attack?

[–] [email protected] 3 points 9 months ago (1 children)

Bobby table, this, buffer overflow... Are all similar in spirit.

Bobby table is a way for hiding the malicious SQL query after a normal query (in that case after the select with "Bobby" you inject the malicious drop table)

In this case after the normal email (that normally would serve for both identifying the user and for the mail to send the recovering mail), the attacker sends two mails, the first is fo identifying the user the second to send the recovering mail

In the case of buffer overflow you inject malicious code after normal(-ish) data

It's not an XHR attack since for the mail recovery workflow you don't need an authenticated session.

To be a bit more compassionate to the developers, this is probably some dynamic typing problem. Probably ruby is "smart" into understand that an array can contain strings after all... So an array of strings is as good as a string... But here we go into static vs dynamic typing.... And it's a bit of religious war (fun fact in 2011 i was advocating with Guido Van Rossum in having at least an optional static typing check in Python - at the time the discussion was how to make python faster/compiled - and he was borderline mocking me 😅 and few years after pytypes but still no compilation at horizon 😂)

[–] [email protected] 1 points 9 months ago* (last edited 9 months ago)

Thanks for the explanation, my friend!

My problem is that I am a hopeless generalist (which basically means I invariably find myself in support positions rather than what I actually should be doing), and IT is an endless jungle. I'm too curious for my own good.

[–] [email protected] 4 points 9 months ago

Holy shit, that's the rookiest mistake.

[–] [email protected] 51 points 9 months ago (1 children)

We use gitlab ultimate at my work, I'm the main admin of the instance. Like 2 weeks ago when there was the cvss 10 vuln, gitlab sent us a .patch file to apply to the instance instead of releasing a new minor cause they didn't wanna make the vuln public yet. I guess that's coordinated disclosure, but I still found that remarkably jank.

[–] [email protected] 4 points 9 months ago (1 children)

How often do y'all update yours?

[–] [email protected] 4 points 9 months ago

Yum upgrade. Nightly. Since about v9.

[–] [email protected] 33 points 9 months ago (2 children)

bruh, feels like gitlab has security update every other day, it's some bullshit even for a project this size. And who knows how many 0-days are around.

[–] [email protected] 6 points 9 months ago

I’ve been hanging a version back for a while now. Although my instance isn’t public, it’s ridiculous how many CVEs I have dodged by not updating. SolarWinds all over again.

[–] [email protected] 4 points 9 months ago (1 children)

And their license cost increases at almost the same rate.

[–] [email protected] 1 points 9 months ago (1 children)

No it doesn't. Gitlab's pricing has been pretty stable, with one increase in the premium tier in the past six years ($19 --> $29 per user per month).

[–] [email protected] 5 points 9 months ago

There were more increases, they just changed the tier names and billing terms, so it's somewhat hard to find historical information of previous prices. Our company ditched it after the 52% increase in 2023, especially because we were still adjusting to the price increase from 2021, which for us was $6 per user per month. I think in 2018 or 2019 it was $3 per user per month, so there must have been another increase that happened between 2018 and 2021. This was all for self hosted, so we had the additional cost of hardware and to maintain the services.

I really wanted to support GitLab, but the price simply became too much to justify.

[–] [email protected] 150 points 9 months ago (4 children)

There was a chap on here the other day who said they hate 2fa and don't need it because they use passwords that are 50 characters and generated by the password manager.

This is a perfect example of why you should always activate it when possible.

[–] [email protected] 5 points 9 months ago (1 children)

I don't have 2FA for my GitLab account since it's only accesible via my GitHub account which has 2FA. Is this good or should I add 2FA to GitLab also?

[–] [email protected] 2 points 9 months ago* (last edited 9 months ago) (2 children)

If you have to use your GitHub 2fa to sign in that's fine I would assume.

[–] [email protected] 4 points 9 months ago

This isn't necessarily true. If you are using an identity provider, you can still perform a password reset on GitLab and set a password there, bypassing your 2FA on GitHub. You usually shouldnt rely on IdP 2FA unless the destination system enforces IdP signin every time. There is a group setting in GitLab that does that, but it will only apply for that group.

[–] [email protected] 1 points 9 months ago

Okay, thanks!

[–] [email protected] 2 points 9 months ago (1 children)

One of the biggest issues with 2fa is that normally it's either an easily spoofable phone/email or an app locked to a device.

This is why I use a password manager (pass) that is synced across all of my devices (via a private self hosted git for version control) that I can send 2fa QR codes to cameraless devices via screenshots using zbarimg and have every device capable of 2fa verification with the pass-otp extension.

I know this setup is a bit complicated as just dealing with git or importing a gpg key would give most people I know sense of existential dread. I am curious to see what others use for similar functionality.

[–] [email protected] 1 points 9 months ago (1 children)

Is that second factor, though? If I understand it right, you are basically generating your MFA from your password manager, is that so?

[–] [email protected] 1 points 9 months ago (1 children)

I'm just using my password manager in place of the authenticator app.

So rather than using an app like Google authenticator or Authy to see what the new random sequence is for the MFA, my password manager stores that QR as a string and will display the same random sequence that a normal MFA app would.

They key difference is that my MFA is synced across any device that I have configured my password manager on using the same cryptographic keys and version control history.

So if my phone is dead, lost, or stolen, I can still access my banking account via MFA as normal.

I suppose it brings up the idea of what a "factor" is in how it's used for MFA. If a factor is supposed to be a different device, a different app on the same device as your password manager, or just a different passphrase that's constantly changing.

[–] [email protected] 2 points 9 months ago (1 children)

I see. IIRC from school, "factor" actually has a definition - it's either something you have (keycard, phone), something you are (biometrics) or something you know (password).

For authentication to be truly an effective MFA, it would have to require at least two of those factors. And that's also why I.e email isn't really a MFA.

So, I guess it boils down to where are you storing your passwords. If they are also in the password manager, then, its only 1FA, because knowing your password manager password is enough to defeat it. (Or, if someone finds a zeroday in the pass manager).

[–] [email protected] 1 points 9 months ago

It's still two separate passwords so I think it qualifies as 2 factors.

But yes the password manager has one gpg key which only has one passphrase used to decrypt the passwords saved in the password manager. So if that was compromised then so would all passwords

[–] [email protected] 43 points 9 months ago (3 children)

Alot of people don't like Microsoft, but they're pushing for zero password authentication for a reason. Passwords are getting really insecure really fast.

[–] [email protected] 17 points 9 months ago (2 children)

Have they given up on their “Passwords are insecure, use this 4 digit pin instead” push?

[–] [email protected] 3 points 9 months ago (1 children)

Not entirely, but now MS, and a lot of other companies, are pushing passkeys. I still prefer password + hardware 2fa but it's safer than people reusing the same password everywhere.

[–] [email protected] 3 points 9 months ago* (last edited 9 months ago) (1 children)

I am a fan of passkeys. Particularly because they essentially function as hardware 2fa, except they’re the only factor, which isn’t as big of a problem because it’s not something you can steal in a service breach like passwords. I’ve also noticed that even when using passkeys, most sites let you force a TOTP code as well anyway.

[–] [email protected] 3 points 9 months ago (1 children)

Very true, the big issue with them is a lot of popular hardware keys, including the yubikeys that I have, are limited to the number passkeys they can store (yubikey is 25 unique). Luckily password managers are starting to support them, but now you're back to having a strong password + hardware 2FA to store those passkeys anyway.

I do like TOTP or just hardware 2FA as a backup for my passkeys. What I really can't stand is sties that only offer SMS as 2FA, it makes me more angry than it probably should.

[–] [email protected] 1 points 9 months ago

iPhones natively support passkeys, so at the very least the iOS user base can easily use them. Not sure about Android though.

[–] [email protected] 3 points 9 months ago

I just use their Authenticator app out of convenience, I get a notification when I login through it and it asks me to input the correct number given by the app, a 2 digit number.

[–] [email protected] 35 points 9 months ago* (last edited 9 months ago) (1 children)

This vulnerability has nothing to do with password strength or security and everything to do with password reset security, i.e. email and improper handling of parameters to that reset API call.

Passkeys are interesting and potentially quite strong but they're going to have to fall back to the same old reset mechanism if you e.g. drop your passkey device (phone) into a lake.

[–] [email protected] 1 points 9 months ago (1 children)

Or just make it clear your account is gone if you lose your passkey, so have a second key for backup or learn a hard lesson.

[–] [email protected] 2 points 9 months ago (1 children)

Yeah, good luck with that. You can tell someone "if you lose this token, all data are unrecoverable", they'll reply with "ok, got it!" and about two and a half second later call you saying "Hey I lost my token can you recover my data?".

[–] [email protected] 1 points 9 months ago

Hence the "hard lesson" part. A lot of us tech-focused people learned the same lesson with our document backup systems. You lose some important documents, then you realize you really should backup your stuff. All I hope is these people learn the lesson earlier in life before the consequences become more and more severe.

[–] [email protected] 2 points 9 months ago (1 children)

How does Microsoft's implementation work?

Is it possible to log into windows without a Microsoft account using that method?

[–] [email protected] 6 points 9 months ago (2 children)

I don't know about windows specifically, but for outlook they're pushing their authenticator app (you can use any) and SMS or email one time links. I think it works really well, and almost all attempts to access my account have stopped tbh, they can't phish for my password if I don't have a password.

[–] [email protected] 2 points 9 months ago

That reverse-code thing is super annoying. The next vector is through the shitty app itself.

[–] [email protected] 16 points 9 months ago (2 children)

I see a lot of people around me resetting passwords of services they rarely use because they forgot what password they used and don't have a password manager (or not synced one). And I don't understand why all services don't propose to generate a one time link to log in instead of changing passwords (a few services do propose it already)

Passwords are useless for all users using the same password for every account they have, and i'm sure it's a majority of users.

[–] [email protected] 3 points 9 months ago

How do you secure email accounts then? And wouldn't that make those just even more attractive targets?

[–] [email protected] 9 points 9 months ago (1 children)

Google is moving that way with passkeys. I think it'll catch on with many people.

Just cut the passwords out and go straight to unlocking with a device.

That said not sure what happens if you lose your device.

[–] [email protected] 11 points 9 months ago* (last edited 9 months ago) (2 children)

don’t even have to lose the device

phone is the most common, plenty of ways in from mitm attacks (insecure wifi for example) to social eng the account phone provider

guess you could go the dongle route but if it was super common thieves would just target them

[–] [email protected] 7 points 9 months ago (1 children)

The idea with passkeys though is that it’s like a dongle, not just your phone number. It’s not an SMS code or link, it uses the cryptography hardware of your phone to authenticate. But the question of “what happens if I lose my phone” still persists.

https://fidoalliance.org/passkeys/

https://developer.apple.com/passkeys/

https://blog.google/technology/safety-security/the-beginning-of-the-end-of-the-password/amp/

[–] [email protected] 4 points 9 months ago (1 children)

I mean it’s just 2fa without the password so same issues with what I described

https://www.csoonline.com/article/570795/how-to-hack-2fa.html

just the first result on google

[–] [email protected] 1 points 9 months ago* (last edited 9 months ago)

"5 ways to hack 2FA" is pretty click-baity though. All of those attacks are either not exclusively related to 2FA or could target another component. If you can just bypass security altogether, instead of questioning 2FA, you should consider ditching that service/site.

All except point 1, that is. But everyone should know by now that 2FA by SMS is insecure.

[–] [email protected] 14 points 9 months ago (1 children)

I think the question is less about getting hacked and more about getting permanently locked out of your account.

[–] [email protected] 6 points 9 months ago

sure but it shouldn’t be, any good process will have some recovery method

course that can be a vulnerability as well

thank god recovery questions are dead