FirstBlood-#141 — Doctor Invitation Code doesn't expire after first uage
This issue was discovered on FirstBlood v1
On 2021-05-10, 0xSaltyHash Level 3 reported:
The leaked invitation code is valid for more than account register and I can use it to register as many times as I want.
Invitation code should be invalidated after use for first time to reduce the risk of it being abused in case of leaking it (which is the case here)
- Go to /register.
- Enter a username and paste F16CA47250E445888824A9E63AE445CE in the invitation code field.
- Click on register.
- Try using the same code with another username and it will succeed.
FirstBlood ID: 15
Vulnerability Type: Auth issues
A doctors invite code is leaked on the internet which if used grants anyone access to the doctor portal. The invite code should expire after use.