New Relic: Ability to run monitors' jobs of other accounts and to read these jobs content (including the secure credentials values)

2020-02-02T21:50:29
ID H1:787886
Type hackerone
Reporter skavans
Modified 2020-08-13T13:45:22

Description

@skavans identified an endpoint for testing Synthetics monitors. Without proper validation, this could allow monitors from other accounts to run on your account with knowledge of the monitor's ID:

``` POST /accounts/<ACCOUNT ID>/monitors/monitor/recheck.json?monitorId=<MONITOR_ID> HTTP/1.1 Host: synthetics.newrelic.com ...

{"monitorId":"<MONITOR_ID>","location":"AWS_AP_SOUTHEAST_1","accountId":<ACCOUNT ID>} ```