Vulnerable Url: https://rpm.newrelic.com/accounts/USERID.json
Description of the Bug:
As Restricted user for an organization cannot Add New users to the Organization, cannot change Organization Name, cannot generate or download report as well as cannot read the information of Owner except his/her email address.
But here the json file is disclosing the Mobile Number of Owner and Billing CC Email of the Organization. Well it's Limited only up to the person who is User in that Organization. But it's still an Information Disclosure.
Proof Of Concept:
Create an Account at New Relic using email address firstname.lastname@example.org (just for the sake of Proof of Concept)
Create Another account as email address email@example.com
From Account firstname.lastname@example.org add user email@example.com as "Restricted User".
Now from account firstname.lastname@example.org navigate to the link https://newrelic.com/accounts/ORGUSERID.json
You'll see the json file is disclosing the data that should not be disclosing to the Restricted User such as Owner's Phone Number and Billing CC Email.
Hope you'll fix it soon.
Regards, Sahil Tembhare