FirstBlood-#25Invite Code leaking on Reddit



On 2021-05-09, mava reported:

Hi zseano,
I found an Info Leak on Reddit.
https://www.reddit.com/r/BugBountyHunter/comments/n4xzw1/firstbloodhackerscom_doctor_registration/

Impact

This Reddit leaks the invite code F16CA47250E445888824A9E63AE445CE which thereby allows anybody to signup as a doctor.
This could allow anybody to read sensitive information.

PoC

  1. Goto http://firstbloodhackers.com:49331/register.php
  2. Enter a username and F16CA47250E445888824A9E63AE445CE.
  3. You are signed in!

Fix

Invalidate the invite Code.

Best regards,
Max

P2 High

Endpoint: reddit

Parameter: Invite Code

Payload: F16CA47250E445888824A9E63AE445CE


FirstBlood ID: 15
Vulnerability Type: Auth issues

A doctors invite code is leaked on the internet which if used grants anyone access to the doctor portal. The invite code should expire after use.

Report Feedback

@zseano

Creator & Administrator


Nice find mava :)


Respect Earnt: 1500000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.