Published: June 08, 2022 on our newsletter Security Fraud News & Alerts Newsletter.
GitLab, the DevOps platform repository, recently released a security patch for its estimated 30 million registered users in 66 countries. The patch fixes a missing authentication flaw allowing remote attackers to gather and steal user PII. The heisted data involves GitLab’s client usernames, true names, and email addresses. It’s not an enormous amount of PII to begin with, but cyber-history shows this bit of data is a steppingstone to other cybercrimes. The good news is a patch is now available and GitLab urges its users to download it immediately.
Created in 2011, GitLab defines itself as “…a complete DevOps platform, delivered as a single application, fundamentally changing the way Development, Security, and Ops teams collaborate and build software. From idea to production, GitLab helps teams improve cycle time from weeks to minutes, reduce development costs and time to market while increasing developer productivity.” The term “DevOps” means both IT operations and development are combined for users.
GitLab’s Security Flaw
Rapid7 confirms this GitLab security flaw starts with all versions of GitLab Community Edition and Enterprise Edition beginning with version 13.0. All other GitLab versions are affected from 14.4 and leading up to 14.8. The missing authentication check allowing this flaw, according to the researcher who discovered it, allows “A remote, unauthenticated attacker can use this vulnerability to collect registered GitLab usernames, names, and email addresses.” In addition, the data leak can allow the creation of a new username wordlist from 50,000 GitLab instances on the internet.
Behind GitLab’s Security Flaw
The flaw was originally discovered by Jack Baines, a senior security researcher at Rapid7, as part of the company’s vulnerability disclosure program, and GitLab made the patch available early this year. On their own or used together, the exploited PII (username, true name, and email address) can provide the roadmap to cybercrimes like brute-force attacks.
Common for this amount of PII are brute-force attacks, a tried-and-true method of exposing even more extensive amounts of user PII. It starts with just a small amount of data like a name and email address and builds from there until the bad actor has all the PII they need for additional crimes. These attacks can lead to identity fraud and financial theft, spread malware, and hijack an entire system. Whether targeting personal or business-related accounts, the outcome of brute forcing can be devastating for both.
So, the next time you choose a username and password for any account, remember that a brute-force attacker may be waiting on the other side, so make sure they’re both lengthy and strong and that each account has a unique password. You’ll never know just how many other security flaws you’ve escaped by doing so.