FirstBlood-#21 — Newly created Doctor account was able to search for patient info via the query api
This report has been reviewed and accepted as a valid vulnerability on FirstBlood!
On 2021-05-09, bobbylin reported:
A newly created doctor account was able to bypass the restriction to search for a patient information.
We can do a request to get the patient information and bypass the client side restriction in the hospital user portal.
This report has been publicly disclosed for everyone to view
FirstBlood ID: 11
Vulnerability Type: Application/Business Logic
Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.
Respect Earnt: 1000000
is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.