Dear GitLab bug bounty team, # Summary --- Gitlab.com is vulnerable to reverse tabnabbing, since you use `target="_blank"` on links in the *Environments* section. {F166659} # Why does this vulnerability exist? --- The following `link` is vulnerable to reverse tabnabbing, because it uses `target="_blank"`: ~~~ ~~~ This means the page that opens in a new tab can access the initial tab and change its location using the `window.opener` property. # What are the exploits? --- I used some simple tricks to further increase the chances of this attack working. I added a link to a website which contains the following code: ~~~ 404 Not Found

Not Found

The requested URL was not found on this server.

Apache/2.2.15 (Red Hat) Server at gitlab.com Port 443

~~~ {F166662} The new tab displays a 404 page which increases the likelihood that the victim will return to the previous tab. While the victim visited the attacker's page, the initial tab was redirected to `https://evil.com/ph-login.html`. This page looks exactly like the GitLab login form and asks the victim to re-enter their login credentials. {F166660} # How can this be fixed? --- In order to mitigate this issue, developers are encouraged to use `rel="nofollow noopener noreferrer"` as follows: ~~~ ~~~ Now when you click on this link, the attacker cannot access the initial tab. For more on reverse tabnabbing, please refer to the following page: https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/ If you require further information feel free to contact me. Yours sincerely, Ed

GitLab: Gitlab.com is vulnerable to reverse tabnabbing.