FirstBlood-#101 — Invite codes do not expire after use
This report has been reviewed and accepted as a valid vulnerability on FirstBlood!
On 2021-05-10, jpdev reported:
It is possible to reuse invite codes to register multiple accounts on to the system. However reusing the Invite code deletes the previous account to use the code
POST /register.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept-Encoding: gzip, deflate
Cookie: drps=d3caedab3f141960c4064dc80; doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9
The impact here is that you lose control of who is accessing the system once the invite code is out in the wild. At this point you are giving someone a foothold into your system .. another layer of the onion per se
Amend the invite system to have one use codes that expire after a time period has passed. This means that codes will expire once used or if enough time has elapsed causing it to expire.
This report has been publicly disclosed for everyone to view
FirstBlood ID: 15
Vulnerability Type: Auth issues
A doctors invite code is leaked on the internet which if used grants anyone access to the doctor portal. The invite code should expire after use.
Respect Earnt: 1500000
is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.