New Relic: Unvalidated redirect in

ID H1:207505
Type hackerone
Reporter everardo
Modified 2017-11-10T22:26:54


Affected host: Affected resource: /auth/newrelic Affected GET parameter: origin


  1. Go to
  2. If you don't have an active session, you'll need to login with your New Relic credentials
  3. You'll be taken to


The originparameter is used by the web application to redirect the user to a specified resource by appending its value to the end of this string: This allows attackers to redirect New Relic users to domains they control (in this case This can be leveraged to phish a customer's sensitive information. Please also note that if the user is already logged-in, he'll be immediately taken to