Am I missing something or does the security release recommend updating to the latest version without saying what that latest version is (at time of writing)?
Come to think of it, how can you find what version of Gitlab is being run? (through the web interface on a CE instance)
> GitLab doesn't support SMS-based 2FA – the most commonly hijacked implementation – only supporting app-based 2FA or that issued via a WebAuthn device, which are much more secure.
I’m glad the register is calling this out. I hate handing over my personal phone number to a website for my “security”. Yeah right security, and not for your anti-spam and tracking purposes.
App-based 2FA is much better, especially passkeys.
Several years ago, I informed GitLab and a few other services that their MFA implementation was faulty. Any user with control of the designated email address could reset the password on an account without knowing that password.
GitLab and the others told me that this was not a vulnerability, because that is not part of their threat model after all.
Isn't that a usability vs security trade-off? Asking naively as a non-expert here.
In some systems, a password reset lets you bypass MFA. On Gitlab, however, you might be able to reset the password, but it will not let you bypass MFA (which was a nice mitigation for this CVE).
I often wonder about this, because people's email should have fairly good security (MFA, detect new devices, suspicious IPs, alerts, etc), and MFA on the other service lets them have similar protections. Both services might not be bullet-proof, but an attacker will likely generate alerts in one or the other.
Most of my users are very non-technical, and might not have access to their MFA (MFA reset requests are fairly frequent), so to be able to access using a one-time-secret sent by email seems like an acceptable compromise, especially if it means that more users will enable MFA. In systems I administer, less than 20% of users tend to enable MFA (it depends on org policy, and it's often optional).
Speaking of, I wish services would do auth by: login -> MFA -> pass, instead of login -> reCaptcha -> pass -> MFA. Especially for scenarios where MFA is mandatory. Having reCaptcha is really annoying considering I went the extra step of enabling MFA (ex: Stripe, Quickbooks).
> Any user with control of the designated email address could reset the password on an account without knowing that password.
Do you mean without having the MFA code? Because literally every password reset implementation operates without you knowing the password; that’s the entire point of it.
I guess that a service like GitLab might need to take this seriously, but ones with a lesser attack surface, might not care.
This is the case for the service that I am about to release. It makes it very convenient for users that forget their passwords. I know many instances of users not using services, because they forgot the passwords, and the services make it difficult to reclaim their accounts (Google, for instance).
Too much security can be a killer, for many applications. We don't need Fort Knox security for many apps.
In our case, we make sure that we don't require any user data, beyond a simple email address (and have Apple's private relay enabled, for those that want a bit more security). For many app developers, keeping so little user data is anathema, as they are actually PID harvesters.
absolutely this. for most services i WANT to be able to recover access with only my email address. if i forget the password for a service, then most likely i also lost whatever additional security codes i have been told to save somewhere.
i have half a dozen backups of all the ssh keys i use because i am scared to loose them. the chance that someone gets access to one of those backups is probably more likely than them breaking into my email. ok, they would still have to find the password for the ssh keys. my point is that the risk to loose something that i can't keep in my head is greater than such a breakin. when i set up 2FA for github or gitlab i am going to plaster that 2FA app on as many devices as i possibly can to mitigate the risk that i would loose one of those devices which could permanently lock me out.
how likely is it that an attacker can take over my email?
they would have to break into my laptop, and take over my browser and break into my mail server. or they would have to spoof the DNS for my email domain.
This seems pretty normal? If you've forgotten the password, you reset it via a reset email. If you had MFA set up, you still need the MFA with the new password. To reset the MFA, you either log in with a recovery code or you contact support.
2fa means BOTH factors are needed. the situation you are discussing here is not password and email but password or email. either one would work.
i have seen services that send a token to your email every time you log in or when you log in on a new device or when you haven't logged in in a long time. that would indeed be a form of 2FA. but these services also allow you to reset the password through email, so it's not exactly 2FA all the time like most other 2FA setups.
