FirstBlood-#113Account takeover of a doctor account is possible due to flawed logic in the registration process



On 2021-05-10, bobbylin reported:

Summary

An attacker can takeover the account of a doctor by registering with the same username and reusing the invitation code.

Steps

  1. Register a doctor account "jomar" and invitation code "F16CA47250E445888824A9E63AE445CE".
  2. You will see the password of "jomar".

  1. On another browser, register again as "jomar" with the same invitation code "F16CA47250E445888824A9E63AE445CE".
  2. You will see that the password of 'jomar' have changed without authorization by the original user.

Impact

Attacker can takeover the account of another doctor.

P2 High

Endpoint: register.php

Parameter: username

Payload: jomar


FirstBlood ID: 17
Vulnerability Type: Auth issues

Unintended: An account with the same username can be created which leads to the original account being deleted and replaced with the attackers


Respect Earnt: 2000000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.