FirstBlood-#138Creating a new user with same username overrides old password which can lead to account takeover
This issue was discovered on FirstBlood v1

On 2021-05-10, 0xblackbird Level 5 reported:

Hello! I found out that when creating a new account with the same username as before, that it actually overrides the previously generated password and by that, the old password is no longer valid. I decided to report this issue because normally, the web app should have a little check in place and see if the username is already taken or not but in this case, it just changes the password. Or perhaps maybe do the same thing as for administrators. I noticed that when creating the same account with the following name drAdmin, it gives me an error telling me that the invite code is invalid. But when I tried dradmin or DRADMIN, I was able to login using the following credentials drAdmin:{GENERATED PASSWD}, but I still wasn't logged in as the Administrator. This indicates that even it the username isn't case-sensitive, that it still makes the difference between the new account and the administrator account.

Steps to reproduce

  • Visit /register.php

  • Choose any username, paste in the following invite code F16CA47250E445888824A9E63AE445CE and click on Secure Register.

  • Next, copy the credentials and note them down.

  • Now, go back to /register.php and do the same thing. Use the same username and paste in the invite code. Click on Secure Register.

  • Navigate to /login.php and try the first generated password. You'll notice that it does not work (anymore).

  • But when we try our second generated password, it works and we get logged in successfully.


I was able to change the password of other new doctor accounts by registering a new account with the same username.

Kind regards,

P2 High

Endpoint: /register.php

Parameter: username

Payload: N/A

FirstBlood ID: 17
Vulnerability Type: Auth issues

Unintended: An account with the same username can be created which leads to the original account being deleted and replaced with the attackers