New Relic: Improper Session Management

ID H1:139178
Type hackerone
Reporter czd
Modified 2017-02-19T14:36:59


When a User successfully login to account there are new 3 links which he/she can visit but when a user Logout from one link ex:- HTTP://*

user successfully logout message will appear & logout. Here user will logout from 2 links ex :- HTTP:// ex :- HTTP://

But users are wide open to attack on 1 link because of improper session management ex:- HTTP://

attacker can do any thing on above account.

Steps to reproduce :- (1) login from account it will open to "rpm" (2) open a link in new window & user will move to "insight" (3)open 3rd link "Synthetics" in new tab. (4)logout from Insight (5) visit synthetics page user will automatically logged out. (6) visit rpm link & attacker can change any thing on account.