FirstBlood-#137Potentially takeover other doctors account?



On 2021-05-10, ibruteforce reported:

While trying to to play the unique invite code found at #123, I saw that you can register with same account name multiple times except drAdmin. I was essentially looking to find a way to register as a doctor without any restriction which I've still haven't figured it out. However, upon trying to bypass the restriction, I found a sweet little bug where you could essentially takeover any other doctor's account except the drAdmin bug. Now these accounts could be approved at a later stage for full read access.

Even though, the restricted account doesn't seem to have full access to patient's details, the attacker could effectively use the bugs shown in #124 and #128 to leak all the patient details. This includes both the IDOR endpoint that could help leak all the patient details.

Although you could do the same by just making a new restricted account(without actually taking over existing account), this bug will also help you just takeover other's account (incase if that specific doctor's has got some specific patients or if the restricted account actually changed to an account with full read access)- this is just a theoretical idea, I won't be able to prove this just yet)

To Reproduce:

At this point, my thinking was what happens if you actually try to register the same account twice? Well, let's follow my next step :D

  • Now repeat the same process, you'll receive your new set of credentials

  • However, if you now try logging in with your old creds, it doesn't work. So this effectively means you're able to change password that you wish provided you know the username of the doctor that you want to target.

The last step is where I essentially understood that you've actually taken the account. Let me know if you've any questions.

P2 High

Endpoint: /register.php

Parameter: NA

Payload: NA


FirstBlood ID: 17
Vulnerability Type: Auth issues

Unintended: An account with the same username can be created which leads to the original account being deleted and replaced with the attackers

Report Feedback

@zseano

Creator & Administrator


Great find and nice report :) We're awarding you a 187 bounty for a reason as it's our final bounty to be paid and it brings our total to a certain number. ;-) Great work on the event mate


Respect Earnt: 2500000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.