New Relic: NR-wide cross account access through misconfigured CORS-policy of multiple endpoints

ID H1:751699
Type hackerone
Reporter skavans
Modified 2020-08-13T13:30:10


Hey guys,

While working at #746786, I've discovered a NewRelic-wide huge CORS-policy misconfiguration leading to cross-account data stealing and modification at a huge amount of endpoints. The vulnerability itself is that origin is trusted NR-widely at many different endpoints, but this domain is used for serving a user-supplied content, namely all nerdlets artifacts are stored at this domain. Thus, an attacker can place a malicious HTML-page at this domain and execute many different requests on behalf of the victim after he/she visits this page.

I've crafted and uploaded at a malicious HTML-page which performs the following actions: - reading current user info through graphQL (actually, any graphQL execution could be performed instead); - reading all account's users data including emails, roles, names etc.; - creating a new insights/nr1 dashboard.

The user creation, for instance, also works well, but I didn't include this payload into a PoC. If you need it to get an extra severity proof, I can craft such a page.

Steps to reproduce

Navigate to and make sure I can perform multiple actions on behalf of you: {F650704}


Now the domain is used for user-supplied artifacts (where every filetype, including HTML, is rendered inline) and at the same time this domain is NR-widely trusted as CORS origin. You should either move all user-supplied content into another sandbox domain (which isn't trusted anywhere) or correct all CORS policies at every server to restrict CORS-requests from this domain.


NR-widely cross-account access for multiple actions.