FirstBlood-#137 — Potentially takeover other doctors account?
On 2021-05-10, ibruteforce reported:
While trying to to play the unique invite code found at #123, I saw that you can register with same account name multiple times except
drAdmin. I was essentially looking to find a way to register as a doctor without any restriction which I've still haven't figured it out. However, upon trying to bypass the restriction, I found a sweet little bug where you could essentially takeover any other doctor's account except the drAdmin bug. Now these accounts could be approved at a later stage for full read access.
Even though, the restricted account doesn't seem to have full access to patient's details, the attacker could effectively use the bugs shown in #124 and #128 to leak all the patient details. This includes both the IDOR endpoint that could help leak all the patient details.
Although you could do the same by just making a new restricted account(without actually taking over existing account), this bug will also help you just takeover other's account (incase if that specific doctor's has got some specific patients or if the restricted account actually changed to an account with full read access)- this is just a theoretical idea, I won't be able to prove this just yet)
Enter the code
Enter the name as you wish, in this case we will name it as
You'll be prompted with your credentials.
At this point, my thinking was what happens if you actually try to register the same account twice? Well, let's follow my next step :D
Now repeat the same process, you'll receive your new set of credentials
However, if you now try logging in with your old creds, it doesn't work. So this effectively means you're able to change password that you wish provided you know the username of the doctor that you want to target.
The last step is where I essentially understood that you've actually taken the account. Let me know if you've any questions.
FirstBlood ID: 17
Vulnerability Type: Auth issues
Unintended: An account with the same username can be created which leads to the original account being deleted and replaced with the attackers
A bounty was paid for this report but is only viewable to members.