Ability To Delete User(s) Account Without User Interaction

### Summary: Gitlab allows its user to exercise their GDPR rights (Right to Access/Delete) user data by sending an email to [email protected] however gitlab team doesn't ask for security question(i.e Date Of Birth) before deleting the user account moreover doesn't authenticate the incoming emails from their instance which allows an attacker to delete user accounts without user interaction : ██████ ### Steps to reproduce 1. Send an spoofed email from victim's email address to [email protected] from a reputable SMTP (e.g: Sendgrid): ███████ 2. Victim will receive the following confirmation email: {F914565} 3. In the next few days victim's account will be deleted : ██████ ### Fix : * Add second verification i.e ask for DOB,Government ID. ## Impact Since Gitlab doesn't verify the request with an Valid ID before triggering Right to Access/Deletion this breaches the GDPR Law(Article 15) & moreover allows an attacker to delete User Accounts without user interaction.