New Relic: [NR Alerts/Synthetics] IDOR through /policies.json with Synthetics exposes full name of other NR users

2018-10-05T22:35:37
ID H1:419875
Type hackerone
Reporter jon_bottarini
Modified 2020-09-04T11:04:45

Description

This is a similar IDOR that I've reported in the past - but I've found a bypass through a misconfiguration requiring pre-setup in both Alerts and Synthetics to work correctly. I'll show you what I mean:

Steps to Reproduce

From new user creation page: 1. Add a new user to the account (https://account.newrelic.com/accounts/1523936/users/new) 2. Enter "IDOR" as the name and "newrelic@newrelic.com" as the email 3. Make them a "user" base role. 4. Click add user button.

From Alerts:

  1. Click on Alert policies tab
  2. Create new alert policy (https://alerts.newrelic.com/accounts/1523936/policies/new)
  3. Name it "This is an IDOR"
  4. Create the policy then go to notification channels of that policy (NOTE: Do NOT add applicable conditions, leave them blank. This is important for later).
  5. Click "Add notification channels", then "select users"
  6. Uncheck ALL users EXCEPT the user you want to IDOR (see screenshot below)

{F356230}

  1. Click "Update Policy"

From Synthetics:

  1. Go to the "create a new monitor" page (https://synthetics.newrelic.com/accounts/ACCOUNT_ID/monitors/new)
  2. Scroll down to the bottom of the page where it says "Add to existing policy"
  3. You can use the search bar to find "IDOR" (the policy you just made) or scroll down to where it shows your recently created alert policy with NO applicable conditions, exposing the full name of the user:

{F356233}

This data is being pulled from the /polices.json response:

{"id":402195,"accountId":1523936,"name":"This is an IDOR","enabled":true,"isDefaultPolicy":false,"accountPolicyId":323054,"description":"No applicable conditions for this policy - opjpoj dfdf fdf <newrelic@newrelic.com> notification channel","defaultPolicy":false}

Impact

In doing so, you're able to find the full name of other New Relic users who have not joined your account.