New Relic: New Relic - Session Hijacking

ID H1:137480
Type hackerone
Reporter ahsan
Modified 2016-05-13T20:32:22


Hey, I have found a vulnerability in New Relic, so the bug is called "Session Hijacking".

You can see the Proof of Concept video which I've attached to confirm the vulnerability.

Steps to Reproduce: 1) Login to your account 2) Copy your cookies 3) Logout 4) Clear browser cookies 5) Paste the cookies (copied in step 2) 6) Refresh the page 7) Now you will be logged into the account

The Patch: Cookies should expire after the logout and previous cookies should not be used for logging into the account, they should expire!