New Relic: Unvalidated redirect in alerts.newrelic.com/auth/newrelic?origin=

2017-02-19T15:10:06
ID H1:207505
Type hackerone
Reporter everardo
Modified 2017-11-10T22:26:54

Description

Affected host: alerts.newrelic.com Affected resource: /auth/newrelic Affected GET parameter: origin

PoC:

  1. Go to https://alerts.newrelic.com/auth/newrelic?origin=.example.com
  2. If you don't have an active session, you'll need to login with your New Relic credentials
  3. You'll be taken to https://alerts.newrelic.com.example.com

Description:

The originparameter is used by the web application to redirect the user to a specified resource by appending its value to the end of this string: https://alerts.newrelic.com. This allows attackers to redirect New Relic users to domains they control (in this case example.com). This can be leveraged to phish a customer's sensitive information. Please also note that if the user is already logged-in, he'll be immediately taken to https://alerts.newrelic.com.example.com.