FirstBlood-#141Doctor Invitation Code doesn't expire after first uage



On 2021-05-10, 0xn00b reported:

Summary:

The leaked invitation code is valid for more than account register and I can use it to register as many times as I want.

Invitation code should be invalidated after use for first time to reduce the risk of it being abused in case of leaking it (which is the case here)

Steps:

  1. Go to /register.
  2. Enter a username and paste F16CA47250E445888824A9E63AE445CE in the invitation code field.
  3. Click on register.
  4. Try using the same code with another username and it will succeed.

P2 High

Endpoint: /register

Parameter: inviteCode

Payload: inviteCode=F16CA47250E445888824A9E63AE445CE


FirstBlood ID: 15
Vulnerability Type: Auth issues

A doctors invite code is leaked on the internet which if used grants anyone access to the doctor portal. The invite code should expire after use.


Respect Earnt: 500000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.