New Relic: No validation on account names

2016-02-05T03:07:42
ID H1:114796
Type hackerone
Reporter ashish_r_padelkar
Modified 2016-08-27T06:30:24

Description

Hi,

Account name text fields have no validation and any characters can be used to save the name. this can be used for malicious purpose. a complete malicious link can be saved in this textboxes and when you send users an invitation to join new relic account, this names will render as valid link in email clients.

for eg if i save account name as some porn site, it will render as link in email client.since the email is from trusted domain like new relic, victim will definitely want to click on the link which will end up him visiting some porn site.

See the attached screen shot. for eg purpose i used http://google.com as name

Thanks & Regards Ashish