FirstBlood-#141 — Doctor Invitation Code doesn't expire after first uage
This report has been reviewed and accepted as a valid vulnerability on FirstBlood!
On 2021-05-10, 0xn00b reported:
The leaked invitation code is valid for more than account register and I can use it to register as many times as I want.
Invitation code should be invalidated after use for first time to reduce the risk of it being abused in case of leaking it (which is the case here)
- Go to /register.
- Enter a username and paste F16CA47250E445888824A9E63AE445CE in the invitation code field.
- Click on register.
- Try using the same code with another username and it will succeed.
This report has been publicly disclosed for everyone to view
FirstBlood ID: 15
Vulnerability Type: Auth issues
A doctors invite code is leaked on the internet which if used grants anyone access to the doctor portal. The invite code should expire after use.
Respect Earnt: 500000
is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.