[GitLab] Account Takeover via password reset without user interactions

We discussed this vulnerability during Episode 235 on 14 January 2024

Dynamic typing strikes again! Once again some fun stuff can happen when passing in an array where a string is expected.

In this case if instead of passing in a single email string when trying to reset a password, you can pass in an array of emails. The lookup process to find the appropriate user to reset seems to only take a single email, but the lower-level lookup function used supports an array of emails. So by providing an array of emails it will return the user of the first match. There is a tweet POC of the payload.

Then once its found the user it will pass in the provided email as the email to send the password reset information to, once again accepting an array in the to argument leading to the password reset token being sent to all of the emails even if its not associated with the user.

The patch on this one was fairly simple, they removed the option to specify the email to which the reset information will be sent, opting to derive that form the user record itself