FirstBlood-#275Register as non admin doctor

On 2021-05-15, twsec reported:

i really cracked my head from this, at first i thought there must be some bypass or hidden api endpoint, but all it was some OSINT

we google firstbloodhackers and we get

a reddit link we open it and

and we find the invite code

then we use the invite code and register a new doctor

P2 High

Endpoint: /register

Parameter: unique invite code

Payload: F16CA47250E445888824A9E63AE445CE

FirstBlood ID: 15
Vulnerability Type: Auth issues

A doctors invite code is leaked on the internet which if used grants anyone access to the doctor portal. The invite code should expire after use.

Respect Earnt: 2000000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.