FirstBlood-#187 — Information Disclosure allowing an attacker to register as a doctor
This report has been reviewed and accepted as a valid vulnerability on FirstBlood!
On 2021-05-11, c3phas reported:
Hi, I found (After so many days of scratching my head) an information disclosure on reddit which leaks an invite code allowing one to register as a doctor.
On register.php a doctor must have an invite-code inorder to be registered.
Doing some dorking I came across a post on reddit which leaked a code
Using the above code I was able to register an account as a doctor
Anyone can get an account as a doctor
This report has been publicly disclosed for everyone to view
FirstBlood ID: 15
Vulnerability Type: Auth issues
A doctors invite code is leaked on the internet which if used grants anyone access to the doctor portal. The invite code should expire after use.
Respect Earnt: 1500000
is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.