GitLab

Created by: raacoon

The "Resend Confirmation" should never confirm if an email address is present in the system or not. Instead it should always "confirm" that the email address was successfully found and the confirmation mail was sent.

Right now gitlab prompts an error like this: "Email was already confirmed, please try signing in". So an attacker can "guess" emails by pure brute force.

Here is what Troy Hunt has written about that topic:

"This practice also opens up the risk of “username enumeration” where an entire collection of usernames or email addresses can be validated for existence on the website simply by batching requests and looking at the responses. Got a list of everyone’s email address from the office and a few spare minutes to do some scripting? You can see the problem!"

Source: http://www.troyhunt.com/2012/05/everything-you-ever-wanted-to-know.html