New Relic: Users can enable API access for free via mass assignment

2017-09-12T15:37:22
ID H1:267781
Type hackerone
Reporter albinowax
Modified 2019-07-08T23:08:49

Description

Free tier users aren't allowed API access, but it's possible to bypass this restriction thanks to a mass assignment bug.

To replicate this, first verify that you don't already have API access by visiting: Account Settings -> API Explorer -> Create an API Key You should see the message "This feature isn't available at your current subscription level"

Now, go on "Account Settings", change your name, intercept the resulting POST request to /accounts/youraccountid.json, and add the following POST parameter: account[allow_api_access]=true

Now if you revisit Account Settings -> API Explorer you'll see you have an API key.

I'm not sure how serious this is; it depends on the intricacies of your billing model.