The salesforce login integration allows attacker to bypass email verification – user is able to signup with any email domain they want, effectively bypass all email domain whitelist/blacklist restriction or any other 3rd party using gitlab instance’s email address.
It is possible because salesforce allow admin to create user with arbitrary email, and I believe this is what gitlab engineer forgot to consider while implementing salesforce integration.
Please follow along to see how I was able to create an account ███████
in gitlab.com
██████████
:██████████
████
by visiting https://gitlab.com/profile/emails
Bypass email domain restriction and able to signup with arbitrary email domain
Able to signup with any email domain
should need email verification
{F511255}
described above