Original Post: GitLab Account Takeover with Hardcoded Password
This vulnerability was analyzed during Episode 133 on 04 April 2022
This is a weird one, but easily understood; when using OmniAuth as the authentication provider (for like OAuth, LDAP, or SAML login) a hardcoded password would be associated with the account.
Whats weird is how this passed code review. The patch itself is trying to improve the password used for testing so their tooling doesn’t complain about weak keys. However in teh midst of several changes relating to that is using the test key as the actual password for a new account.