$35,000 Bounty: How Inappropriate Access Control Led to GitLab Account Takeover

Introduction

In cybersecurity, vulnerabilities can arise from the most unexpected defects. A recent account takeover vulnerability via password reset without user interaction demonstrated how a simple access control flaw could lead to full account compromise.

In this article, we will explain how the vulnerability was identified, how attackers exploited it, and how developers can secure web applications from similar threats.

Timeline

• Date Reported: December 20, 2023
• Severity: Critical (10.0 CVSS)
• Bounty Awarded: $35,000
• Disclosed: February 26, 2025

What is Account Takeover via Password Reset?

Password reset-based account takeover occurs when attackers manipulate the password reset feature of an application to gain unauthorized access to a user’s account. This flaw is often caused by improper validation or missing authorization checks.

How the Vulnerability Worked

The vulnerability was found in GitLab’s password reset functionality. It allowed attackers to receive password reset links intended for…