New Relic: Adding a new user discloses their full name in the "Users" section of NR Alerts notification channels page

2018-04-29T00:51:54
ID H1:344309
Type hackerone
Reporter jon_bottarini
Modified 2020-08-26T10:57:56

Description

The NR developers did a really good job at restricting me from finding out info about other user accounts through the NR Synthetics settings - so far I haven't found a way to bypass it (yet πŸ˜‰).

There exists another way to obtain this information about other user accounts, and it has to do with the notification channel settings within NR Alerts. It seems like the devs have forgotten to conceal the name of new users added to the account via the "channels" endpoint.

Proof is that I pulled the first+last name of the user account "admin@newrelic.com" (Note: In the future for these types of bugs, are you ok with me using this account as a proof of concept? Since I assume it isn't a customer and belongs to a member of New Relic, I'd rather pull data from this account rather than another NR customer.):

{F291610}

This information is concealed on the users page:

{F291611}

Steps to Reproduce:

  1. As an admin, add a new user to your NR account (I used admin@newrelic.com for the email)
  2. Navigate to https://alerts.newrelic.com/accounts/ACCOUNT_ID/channels
  3. Observe that the full name of the user is disclosed in the "Users" section on this page. Optionally, you can directly navigate to the user channel you added as well and the full name is not hidden:

https://alerts.newrelic.com/accounts/ACCOUNT_ID/channels/1081322

^ 1081322 is the User notification channel for the user "admin@newrelic.com"

Let me know if there's any other questions, thanks!

Impact

IDOR allows me to view names of other New Relic customers.