Invite codes do not expire after use

FirstBlood-#101 — Invite codes do not expire after use
This issue was discovered on FirstBlood v1

This report has been reviewed and accepted as a valid vulnerability on FirstBlood!

On 2021-05-10, jpdev Level 3 reported:


Summary
It is possible to reuse invite codes to register multiple accounts on to the system. However reusing the Invite code deletes the previous account to use the code
Request
POST /register.php HTTP/1.1
Host: firstbloodhackers.com:49335
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 74
Origin: http://firstbloodhackers.com:49335
DNT: 1
Connection: close
Referer: http://firstbloodhackers.com:49335/register.php
Cookie: drps=d3caedab3f141960c4064dc80; doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9
Upgrade-Insecure-Requests: 1

action=register&username=jpdev&inviteCode=F16CA47250E445888824A9E63AE445CE

F16CA47250E445888824A9E63AE445CE
Impact
The impact here is that you lose control of who is accessing the system once the invite code is out in the wild. At this point you are giving someone a foothold into your system .. another layer of the onion per se
Remediation
Amend the invite system to have one use codes that expire after a time period has passed. This means that codes will expire once used or if enough time has elapsed causing it to expire.

This report has been publicly disclosed for everyone to view

P2 High

Endpoint: /register.php

Parameter: inviteCode

Payload: F16CA47250E445888824A9E63AE445CE

FirstBlood ID: 15
Vulnerability Type: Auth issues

A doctors invite code is leaked on the internet which if used grants anyone access to the doctor portal. The invite code should expire after use.

BugBountyHunter

Summary

Request

Impact

Remediation