FirstBlood-#275 — Register as non admin doctor
This report has been reviewed and accepted as a valid vulnerability on FirstBlood!
On 2021-05-15, twsec reported:
i really cracked my head from this, at first i thought there must be some bypass or hidden api endpoint, but all it was some OSINT
we google firstbloodhackers and we get
a reddit link we open it and
and we find the invite code
then we use the invite code and register a new doctor
This report has been publicly disclosed for everyone to view
unique invite code
FirstBlood ID: 15
Vulnerability Type: Auth issues
A doctors invite code is leaked on the internet which if used grants anyone access to the doctor portal. The invite code should expire after use.
Respect Earnt: 2000000
is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.